MyDoom: whodunit?

A new worm spread rapidly through the Internet at the end of last month, using clever tactics to dupe users and a sneaky payload which may have diverted attention from its real goal.

MyDoom spread so fast that the FBI immediately launched an investigation into it, and set up an online service to issue advice on viruses and other security-related information. At its peak, the worm was present in one out of every twelve email messages monitored by mail security firm MessageLabs. In contrast, the previous record was 1/17, held by Sobig.F. Two days after initial detection, more than five million copies had been intercepted.

With many thousands of infected systems, Gartner's vice president of Internet security, John Pescatore, estimated the cost to companies would be a staggering $250 million.

A great deal of attention has been given to conjecture regarding the source of MyDoom. At the heart of the speculation is part of the worm's payload: MyDoom uses victims' computers to attack SCO's website in a distributed denial of service attack, starting on February 1 and running until February 12. SCO is embroiled in a legal battle with IBM and members of the open source community, leading to speculation that overzealous Linux advocates had released the worm in retribution. has been the target of other denial of service attacks in recent months, the company claims.

SCO's CEO, Darl McBride, hinted darkly that the company had "suspicions" about the origins of the worm, and has offered a $250,000 bounty for the identity of the author. Similarly, Microsoft offered a $250,000 bounty for the authors of Sobig.F and Blaster in November.

That is unlikely to work, said F-Secure's CEO, Risto Siilasmaa. "I don't know of any other guilty [author] being caught." Although the authorities have tracked down a few hackers who released variants of worms such as Blaster, the original sources remain a mystery.

Other clues in the worm suggest the DDoS attack is a diversion, with a very different target as the main objective. MyDoom is a variant of Mimail which, like Sobig, installs backdoor services on victim computers to allow them to be further exploited later. In these cases, that is usually as spam relays – organised crime syndicates in Eastern Europe are blamed for the release of these worms and their subsequent use by spammers.

Siilasmaa agrees. "It's a smokescreen," he said. "It has all the techniques spammers use."

The similarities are striking: MyDoom drops a similar backdoor payload. It was first spotted in Russia. And after its DDoS attack is complete, the Trojan component will remain.

And text hidden in the MyDoom.B body gives a clue about the author: "(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)", furthering suspicions that this worm, like its predecessors, was professionally written at the behest of (it is assumed) spam marketers.

MyDoom also marks an escalation in the quality of worm programming. Mark Sunner, CTO of MessageLabs, said MyDoom is "better than most. It's very good. And the [expiry of the DDoS] suggests this is a proof of concept, that will be followed by new versions."

Sunner was right: MyDoom's backdoor was almost immediately used by the first variant of the worm. MyDoom.B is spread the same way but also searches for previous victims, and installs an updated version which attacks Microsoft's web site after SCO's.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.