13

All in good timeSeveral factors may have been responsiblefor the severity of impact, not the least ofwhich may have been a simple matter oftiming. As with Sobig.F, previously theholder of the ‘fastest-spreading’ record1,MyDoom was released amidst a crowd ofother new and high profile threats.Sobig.F wound its way into the wild onthe heels of the notorious Blaster, Welchi,and Dumaru worms. MyDoom wasreleased just two days after the high profilethreat Dumaru.Y was discovered and onlyeight days after the Bagle worm grabbedheadlines. Also discovered the morning ofMyDoom’s debut was the Mimail.Qworm. Indeed, on that fateful day,antivirus vendor Sophos had released twoprior IDE alerts for in the wild threatsreported by several of their customers.

Whether the ruse was deliberate,exploiting the onset of other worms as asort of diversionary tactic, or whether itwas a simple matter of over-taxedresources, in the case of MyDoom (theonly worm for which suitable statisticsare available) the necessary signatureupdates were delayed for several hoursbeyond the norm. MessageLabs firstdetected the worm at 13:05 GMT, yetthe first commercial updates (F-Prot)were not released until 22:302. BETAupdates had been released slightly earlierby McAfee and Symantec, at 21:20 and22:00, respectively but distribution ofBETA updates is manual and generallylimited. Conversely, there was only a 5-

hour delay between initial discovery andfirst updates with Dumaru.Y worm and a2-1/2 hour delay with Bagle.

Short and sweetA second contributing factor may havebeen the brevity of the MyDoom emailmessage. Cryptic and terse, the emailread simply:

The message cannot be repre-sented in 7-bit ASCII encodingand has been sent as a binaryattachment.

- or -The message containsUnicode characters and has been sent as a binaryattachment.

- or -Mail transaction failed. Partialmessage is available.

The subject line is equally cryptic, con-sisting of one of the following:

testhihelloMail Delivery System Mail Transaction Failed Server Report Status Error

The Mydoom worm also spreads viathe KaZaA P2P network. The worm adds

itself to the KaZaA shared folder usingthe following names:

winamp5icq2004-finalactivation_crack strip-girl-2.0bdcom_patchesrootkitXP office_cracknuke2004

Specific statistics regarding the impacton KaZaA users is not known.

Smoke and mirrorsWhen sending its email message, theMyDoom worm spoofs the sender’sname. This not only masks the identity ofthe actual infected party, it also exploits aweakness in antivirus alert mechanisms.In an open letter after both the Sobig.Fand MyDoom worm incidents, FridrikSkulason, Founder of FRISK SoftwareInternational, argued that such alertingamounted to spam and that the useful-ness of the feature was past its prime, “Infact, sending an alert automatically to the“From:” address for every virus or wormreceived by email should not even be aselectable option, and for any mass-mail-ing worm, no mail should ever be sent tothe recipient.”3

The situation is made worse when thesecurity software allows the administratorto send a copy of the infected messageback to the supposed sender. In such acase, the recipient of the wrongfullyaddressed email risks opening both theemail and the attachment in an effort tosee what it is they allegedly sent. Doingso, of course, poses an increased risk ofspreading the infection. In either case,the resulting extra traffic can outpaceeven that of the original worm, prompt-ing some to contend that the antivirussoftware is itself a participant in the emailDDoS.

Cryptic messages, overloading mailservers, and spoofing the sender’s namesaren’t the only tricks up MyDoom’ssleeves. The worm also craftily employs alook-alike icon, disguising the executable

mydoom analysis

MyDoom: Do you “get it”yet?Discovered on 26 January, 2004, the MyDoom worm went from seed mailing tomajor threat within hours. By the following day, managed email providerMessageLabs had already logged over one million instances of MyDoom infectedemail. During that same period, Frisk Software reported 14.3% of all email passingthrough their aves.f-prot.com filter was MyDoom infected. Within 48 hours, thatpercentage had risen to at least 31.85%. Erroneous alerting messages from antivirusand filtering products heightened the impact, bringing the total of MyDoom-centricemail to 65%.

mydoom analysis

14

attachment behind an innocent lookingpseudo-textfile icon. Though no graphicartist, the worm author did a passableenough job to trick some users into ignor-ing the tell-tale extension and react to theicon instead. Other methods were alsoemployed to stymie users. Using a doubleextension ruse and inserting numerousblank spaces before the valid BAT, CMD,EXE, PIF, or SCR extension caused thevalid extension to disappear from theviewing area in some cases. The attach-ment might also be a ZIP archive, possi-bly allowing it to bypass various filteringmechanisms and antivirus softwaredepending on the configuration. Further,ZIP files enjoy a more lax set of securitystandards amongst some users, who per-sist in believing email worms don’t travelvia the archive format. The attachmentnames were also rather innocuous sound-ing. Common names included docu-ment, readme, doc, text, file, data, test,message and body.

High calorie spreadThe MyDoom worm harvests emailaddresses from a variety of file typesfound on the infected system: WAB,ADB, TBB, DBX, ASP, PHP, SHT,HTM, and TXT. A similar tactic was seenwith the highly successful Sobig.F wormand older notorious threats such asMagistr. In fact, email worms that popu-late using only addresses found in theWindows Address Book are increasinglyless common; most of today’s successfulworms search multiple sources. Likewise,MyDoom uses its own SMTP engine tosend itself, as did the Sobig and Yaha vari-ants, the Braid worm, Sober, Mimail anddozens of others. MyDoom took it a stepfurther – the worm code also containstext strings it can use to randomly createaddresses if no others are found.

Mixed bag of wormsWhen the infected file is executed, theworm may first launch Notepad, fillingthe page with random garbage characters.It then drops a copy of itself to theWindows System folder using the nametaskmon.exe. Because a valid copy oftaskmon.exe can be found in the

Windows folder on 9x and ME, thiscaused some confusion among victims.Indeed, even one antivirus researcher tem-porarily felt the need to repair or replacetaskmon.exe in the event of disinfection.As noted previously, the worm also search-es the System Registry for the location ofthe KaZaA shared folder and drops copiesof itself to the folder, if it exists.

The worm also creates the file shim-gapi.dll in the Windows System directory,registering this file as a child process ofEXPLORER.EXE. Shimgapi.dll opensand listens on ports 3127 through 3198.This backdoor could be used to downloadfurther malicious code to the system. ThisDLL was missed by some of the antivirusvendors in their first round of updates,forcing them to re-release updates – oftennearly 24 hours later. Those who had beenaffected by the worm initially and hadcleaned their system with the first roundof partial definitions were left with thebackdoor wide open.

Ready, aim, fireThe MyDoom.B worm contains a rou-tine to launch a Distributed Denial ofService (DDoS) attack againstwww.sco.com beginning on 1 Februaryand ending on 12 February. On its enddate, the worm itself also ceases to run,though it does not uninstall itself. Tolaunch the DDoS, MyDoom.A launches64 threads, each simultaneously sending asimple GET / HTTP/1.1 to port 80 ofwww.sco.com. This process repeats itselfevery 1024 milliseconds. This is per-formed in concert with all the infectedmachines worldwide, the combined affectbeing enough to quickly overwhelm thewww.sco.com Webservers.

Rather than removing DNS entries forwww.sco.com beforehand, The SCOGroup waited until after the DDoSbegan. As such, www.caldera.com, hostedby the same webserver, was also effective-ly taken offline. Antivirus vendor F-Secure kept a running weblog4 narratingthe attack. According to their findings, itwas sometime late on Sunday, 1 February, before www.sco.com was removed fromthe DNS records, and Monday, 2February , before an alternate website was

established, www.thescogroup.com.Ironically, a similarly named site,www.thescogroup.net, is highly critical ofSCO. That site begins with “DarlMcBride is a Big Fat Idiot: A Fair andBalanced Look at SCO”.

The SCO Group did make some effortto spread awareness of its impendingMyDoom. In the days leading to theattack, www.sco.com contained informa-tion designed to assist users in avoidinginfection. Included in their advice was adefinition of a virus as “computer pro-grams that cause unexpected results whenexecuted” and Trojans defined as “mali-cious programs that have innocent-sounding names.” Indeed.

Of course, SCO’s mistaken assump-tions pale in comparison to the antics ofUS CERT. Disregarding the widely satu-rated MyDoom.A threat, the newlyformed US CERT, a partnership with theUS Department of Homeland Security,instead issued multiple urgent alertsregarding the nearly non-existentMyDoom.B worm. Along with erro-neously describing MyDoom.B as “rapid-ly spreading”, they cautioned that it“appears to have different MIMI data formalicious emails”, and that they had“credible data” indicating the MyDoom.Bworm launched a DDoS attack againstMicrosoft only, not SCO.

Rounding out the madness, mi2gissued a press release5 claiming $38.5 bil-lion dollars damage from the MyDoom.Aworm. Considering the damage estimatesfor the city of New York as a result of theSeptember 11th attacks on the WorldTrade Center was only $34 billion initial-ly, it seems difficult to reconcile damagecosts from a worm like MyDoom at any-where near that amount. In the case ofthe WTC disaster, the figures were laterrevised6 to approximately $83 million.However, this figure included not onlythe direct losses, (in addition to humanlives) i.e. property loss (buildings, busi-ness fixtures, computer equipment,phone and power utilities, subway sta-tions, planes and vehicles), response costs(i.e. stabilization and cleanup), medicalcosts, and housing assistance but also theindirect losses such as lost employee

15

income, business profits due to space orinfrastructure being destroyed or dam-aged, and lost or reduced tax revenues. Itseems unlikely that any substantive dam-age costs resulting from the MyDoom.Aworm would result in costs typical of amajor disaster of great magnitude.

Of course, none of this is surprising oreven newsworthy. After all, this is not thefirst time we’ve confronted a significantinfector and dealt with poorly researchedalerts, or inflated damage cost estimates,or even technically inaccurate descrip-tions. One could argue that these occur-rences are almost a rite of passage where

fast-spreading worms are concerned.What is surprising, however, is that inlight of the FUD, the mistakes, and thehype, we still blame the user for not “get-ting it”.

References1 It is worth noting that the record

changes depending on the recordkeeper and the record keepers metrics.

2 MyDoom.A - Wie schnell reagiertendie AV-Hersteller? PC-Welt andAndreas Marx (AV-Test.org), http://www.pc-welt.de/news/viren_bugs/37278/

3 Yes, (some) antivirus companies arespammers, Fridrik Skulason, Founderof FRISK Software International,January 30, 2004. http://www.f-prot.com/news/gen_news/open_let-ter_30jan2004.html

4 http://www.f-secure.com/weblog/5 http://www.mi2g.com/cgi/mi2g/

press/010204.php6 Review of the Estimates for the Impact

of 9/11 on New York Tax Revenues,General Accounting Office (GAO),http://www.gao.gov/new.items/d02700r.pdf

Check Point FireWall-1 HTTPParsing Format String vulnerabilities The vulnerability in Check Point isfound in the Application Intelligencehandling of HTTP traffic, which ironi-cally is supposed to filter maliciousrequests before they reach internal sys-tems. The problem is that format speci-fiers aren't handled properly whenparsing HTTP requests.

Depending on the underlying operating system it may be possible to compromise the firewall and gain root or SYSTEM privileges. Check Point claims that this only can be exploited to crash the device butISS X-Force reports that they have successfully compromised a vulnerablefirewall.

http://www.secunia.com/SA10794

RealOne Player / RealPlayermultiple vulnerabilities Private and home users must be moreconcerned about yet another round ofvulnerabilities in the popular multimediaplayer, RealOne Player (Real Player),which can be exploited by malicious sitesto gain access to client systems.

The handling of certain files allowsmalicious files to cause a buffer overflow,which can be exploited to run arbitrarycode. Another Cross Site Scripting errorhas also been identified in the handling ofSMIL files.

While Cross Site Scripting in general isconsidered a less critical issue, it may turnout to be particularly tricky when it canbe conducted through SMIL files as thisgenerally allows the attack to be carriedout in the local security zone context.

http://www.secunia.com/SA10796

Internet Explorer Travel LogArbitrary Script Execution vulnerability It is quite interesting that Microsoftchose to release its patches for the recentInternet Explorer vulnerabilities oneweek ahead of the announced schedule.

Fortunately, some of the most criticalInternet Explorer vulnerabilities havebeen fixed. Unfortunately, a number ofolder vulnerabilities still remain unfixedin the most recent version 6 with allService Packs and patches applied.

For more details about fixed andunfixed vulnerabilities, see the historicadvisories regarding Internet Explorer: http://www.secunia.com/Internet%20Explorer

The majority of us have probably seen alot of different scam mails since midDecember 2003, which have exploitedthe infamous URL spoofing vulnerabili-ty. This is one of the vulnerabilities fixedby the latest Internet Explorer patch.

Also, the critical vulnerabilities pub-lished by Liu Die Yu in November 2003have been fixed now. These vulnerabili-ties could be combined in a way, whichallows malicious websites to execute arbi-trary code on the client systems.

http://www.secunia.com/SA10289http://www.secunia.com/SA10765

The Big Picture on BigHolesThomas Kristensen, CTO Secunia

Checkpoint, Real Player and Internet Explorer

A big hole in a big wall. The most interesting vulnerability is certainly the vulnera-bility in the world's most widely deployed commercial firewall, Check PointFirewall-1, which can be exploited to gain control of the firewall.

vulnerability analysis