Post on 02-Jan-2016
description
MyDoom☉ Ian Axelrod
☉ Chris Mungol
☉ Antonio Silva
☉ Joshua Sole
☉ Somnath Banerjee
----------------------------------------------Group 5CS4235/8803Spring 2010
What happened? • Self propagating email based virus (worm)
• Claimed to be the fasted spreading email virus
• Speculated to have originated in Russia
• Aliases: W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi
• First sighted: 26 January 2004
• MyDoom.A & MyDoom.B spread to over 1 Million computers
in preparation for a DDOS attack on SCO and Microsoft
• MyDoom.A & MyDoom.B stop spreading
• Doomjuice appears in backdoors left by MyDoom .A & .B
• variants of Mydoom attack Google, AltaVista and Lycos
Highlights• The MyDoom computer virus knocked out SCO
Group's Web site with a massive DOS attack
• Microsoft was able to thwart an attack on its Windows Update site by eliminating the specific Web address the MSBlast worm targeted. The software maker killed off the site's previous address.
• The White House stymied a denial-of-service attack aimed at its Web site by diverting a deluge of data, sent by systems infected with the worm, to a different address.
Technical Information (Analysis)
• When Win32/Mydoom worm is executed, it copies itself to the %system% or %temp% directory. The worm also creates a registry value in one of the following keys:• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run• HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run• This value causes the worm to start when Windows is
started.
• Win32/Mydoom creates a backdoor Trojan in %system% or %windows% directory. The backdoor Trojan allows unauthorized access to the infected system. The worm may load and execute the backdoor Trojan. The worm may modify the default values of the some registry keys to reference the backdoor Trojan; this causes Explorer.exe to load and execute the Trojan when the system restarts.
Technical Information (Analysis)
• Win32/Mydoom may copy itself to the share folder of the Kazaa P2P application, in order to spread through P2P networks.
• Win32/Mydoom may copy itself to random directories on an infected system.
• Win32/Mydoom collects e-mail addresses from files on an infected system and sends e-mail with an attached copy of the worm to the addresses. This function is the primary propagation method the worm uses.
Symptoms• Some variants overwrite the hosts file, which may block
access to some Microsoft and antivirus vendor Web sites. The overwritten hosts file may look similar to the screenshot:
Symptoms
• Some variants create a text file containing random data that looks similar to the screenshot
Impact?• At a point the worm was accounting for 20 percent
to 30 percent of worldwide e-mail traffic
• Slowed Internet performance by 10%
• Web-page load time down by 50%
How did it Succeed?
• Used misleading text
• Brute force approach by
intruding your address
book
• Text icon used
• Was released in the
middle of the North
American workday
Aftermath?
• Sparked new versions
• Version U, V, W, X, and
AO
• Expensive repurcussions
• MyDoom 2009 ?
• Filter network traffic- blocking specific inbound and outbound traffic to ports 1080,3128, 80, 8080, 10080
• If filtering ports are not feasible, try to block all network traffic that is not required for normal operation
• Symptoms of viruses or specifically the myDoom virus may be found by detecting increased CPU load and/or higher than normal SMTP traffic.
• Scan e-mails internally for viruses. Use of Mail Transfer Agents (MTAs) to block e-mail with W32/MyDoom.B signatures
• Disable automatic response messages:. Important that responses do not return the infected attachment
System Administrator
Source: US-CERT
Users
• Always trust the end user of any attachment or program received.
• Email users should be circumspect of unwarranted attachments and Peer-to-Peer (P2P) users should be wary of .exe files
• Always run and maintain an antivirus tool or application. Updating antivirus app will guarantee extra security with new strains of viruses.
• Almost all antivirus vendors offer a MyDoom removal tool.
Bottom line: Do not open attachments from users you do
not know or trust!Source: US-CERT
More Info. In TextbookChapter 3Section 3.3Viruses and Other Malicious Code
• Why worry about malicious code?
• Difference between virus, worm,
and other malevolent programs.
• The technical aspects of viruses.
• The first malicious code and it’s
implications.