News
MyDoom
Spreads Rapidly, but Corporate IT Well Prepared
by Stephen Swoyer
1/27/04 — A new mass-mailing
virus known as MyDoom or Novarg spread at a record-setting
pace this week, but its rate of success was fairly low against
corporate servers already hardened against similar attacks.
The new mass-mailing virus, also known as Worm_MiMail.R,
first appeared in the wild Monday afternoon, and has since
proliferated at a furious pace. Anti-virus vendor Symantec
Corp. reports that Novarg is already more active than the
summer’s most notorious mass-mailer, SoBig.F.
“With SoBig, we saw 1,800 submissions in a single day,”
said Oliver Friedrichs, a senior manager with Symantec
Security Response, in a conference call Tuesday morning.
Friedrichs said that Symantec had logged 2,500 Novarg
submissions in just 18 hours, at a rate of about 150 per
hour.
At the same time, Friedrichs said, only 9 percent of
submissions were from corporate accounts.
There’s good reason for that, says Russ Cooper, editor of
the NT Bugtraq listserve and surgeon general with security
consultancy TruSecure. “Most [companies] are intercepting this
stuff as it comes in [with spam gateways] or restricting
access to attachments, or ideally doing both,” he says. “You
can do one or both, but you can’t afford to do neither.”
Ray Zorz, a network administrator with an advocacy group
based in the Southwest, reported a heavy load of
Novarg-related e-mail traffic in the hours after the new
mass-mailer first appeared. "Fortunately my Sybari Antigen AV
software seems to be catching them, primarily because I filter
out the various file extensions like .scr and .pif. So far I
do not believe it's affecting my end users, and like all virus
outbreaks, I just hope to weather the storm.”
Bryan Lucas, an Exchange administrator with Texas Christian
University, says that neither Novarg or its predecessor,
Bagle, Bagel or Beagle, have had much impact, if any, in his
environment. “The Bagel/Beagle virus and this new Doom virus
have been of very little impact to us. With so many viruses,
we, like so many other businesses have had to harden our mail
systems. It takes a pretty clever virus to get through,” he
says.
Lucas says blocking common attachments is the difference
between safely riding out or foundering in a mass-mailing
storm. “Bagel, like this new MyDoom both depend on an
executable file attachment. We block .exe's along with another
20-30 file extensions. That offers us a fair amount of
protection until our anti-virus vendors release their
definitions.”
Like other mass-mailers, Novarg infects a system by means
of a malicious attachment, which appears as a .zip file –
although there’ve been accounts that it also appears as a text
file. Once it infects a system, Novarg typically copies itself
into the Windows\System folder (as TASKMON.EXE), to the
Windows Desktop (as Document.scr) and into a share folder
associated with the Kazaa file-sharing service
(activation_crack.scr). Novarg propagates by scanning local
files, including HTML files and the databases associated with
popular contact management software, for e-mail addresses.
In addition, Friedrichs reports, Novarg opens a back door
on TCP ports 3127 through 3198. “[It] allows other people [to]
come in and connect to an infected system,” he explains. “They
can actually send programs and other files up to the infected
system and have them execute, that exposes the infected system
to further attacks, [because] anyone can come into one of
these infected systems, install another Trojan or another
program, and take control.”
A malicious attacker can also exploit the Novarg back door
to relay spam. “There’s certain commands that this backdoor
accepts, by issuing those commands, someone can cause the
infected system to open up a network connection to any
arbitrary host on any arbitrary port,” he says.
The virus also has a political motive. It is programmed to
launch a denial-of-service attack against the SCO Group Inc.,
the company that mounted a full-on legal attack on Linux on
intellectual property grounds. That DoS attack is scheduled to
start Feb. 1 and run through Feb. 12.
Symantec and most other vendors issued virus updated
definitions Monday night, although some are still working on
Novarg clean-up tools. Virus experts say that while there’s
certain to be some damage at the enterprise level from the
latest mass-mailer – there is, after all, some lag time
between when a virus first appears and anti-virus vendors
issue updated virus definitions -- its impact can be minimized
if administrators simply follow the best practice of
restricting access to most if not all attachments, including
.zip files and .txt files.
“I had an e-mail from one individual who says … that there
are business reasons that you need executable attachments,
which I just don’t accept, there’s no valid business reason
anymore, especially when you take into account the damage that
these [mass-mailers] can cause,” says TruSecure’s Cooper.
Cooper doubts that Novarg is a big problem in the
enterprise, noting that it typically spreads by exploiting
common first names – i.e., “John,” “Peter,” or “Mary” –
appended to a destination domain name. “The reason that this
thing is getting legs is possibly the result of … a machine
that had previously been trojaned and was being used for spam
production, and then gets this, and meanwhile it’s got a huge
list of addresses that this can exploit,” he says.
You can contact Stephen about "MyDoom Spreads
Rapidly, but Corporate IT Well Prepared" at mailto:swoyerse@yahoo.com?Subject=MyDoom
Spreads Rapidly, but Corporate IT Well Prepared.
|