MyDoom Aims Glancing Blow at Search Engines

 
 
By John Pallatto  |  Posted 2004-07-26 Email Print this article Print
 
 
 
 
 
 
 

While causing denial-of-service attacks on popular search engines wasn't the main goal of the latest MyDoom worm variant, that was the effect as the new version spread rapidly.

Performance problems reported at major Internet search engines were not the result of a direct denial-of-service attack launched by the latest variant of the MyDoom worm, anti-virus researchers said Monday.

The latest version, variously named MyDoom.M, MyDoom.M@mm or MyDoom.O, is slightly different from earlier versions because it uses the search engines to verify and locate additional e-mail domains to infect, said Lloyd Taylor, vice president of technology and operations at Keynote Systems Inc. of San Mateo, Calif.

The worm spread rapidly as people arrived at work Monday morning and began clicking on e-mail messages that included the worm code, Taylor said. The worm "started spreading so quickly that the sheer number of machines doing e-mail searches overloaded the search engines ability to handle them," Taylor said.

Internet users experienced intermittent problems on Monday with accessing popular search engines including Google, Yahoo, Lycos and AltaVista, according to Trend Micro Inc.

Search engine performance started to return to normal Monday afternoon, Taylor said, after the search engines effectively blocked the MyDoom e-mail searches. The access interruptions were scattered and intermittent, Taylor noted. Users in one part of a large city such as New York might report outages, while users in another area would have no problem accessing the search engines.

Click here to read about e-mail performance problems caused by earlier versions of MyDoom.

But PC users whose machines were infected face potential problems in the future. As in earlier MyDoom variants, the worm implants a "back door" into the operating system that will allow an intruder to take control of a machine and potentially use it as a spam or pornography distribution server, Taylor said.

Users should ensure that their anti-virus protection software is updated. They should run a virus scan if they have any suspicion that they deployed the worm on their system.

This particular MyDoom variant spread quickly because it used a form of "social engineering" to trick users into clicking on the infected file, which might be in the form of a .txt, .doc, .com or .exe file, Taylor noted. It usually took the form of a warning from a corporate IT department saying that it appeared a users machine had been used as a spam server.

The message also told the users to click on the file attachment to get instructions on how to remove the spam server from their machines. But clicking on the file would actually deploy the worm.

The rapid spread of MyDoom.M is not an indication that virus attacks are getting more sophisticated or are more of a threat today to search engines or to other online software platforms, Taylor said. All e-mail users are just as vulnerable today as they always have been, Taylor said.

But the search engine sites showed they could respond rapidly to block the problem, Taylor said. Major software and product distribution sites such as Salesforce.com, Siebel.com, Oracle.com and Amazon.com all have security in place to ward off such attacks, he said.

The latest worm attack mainly shows that PC users are as naive as ever about opening potentially damaging e-mail attachments, Taylor said. Users have to think twice before they click on any attachment that appears to be out of the ordinary, he said.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. This latest worm isnt likely to cause long-lasting problems for either the search engines or corporate network managers, said Joseph Hartmann, director of North American anti-virus research at Trend Micro.

"This is more like a garden-variety virus infection," he said. It may be causing initial trouble on some corporate local area networks, Hartmann said. But he said he doesnt believe it will be as damaging as some the other recent infections, such as the Bagle or Netsky worms.

"People arent going to remember this latest attack for very long after this week," because it should prove relatively easy to block and clean from networks and personal machines, Hartmann said.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

 
 
 
 
John Pallatto John Pallatto is eWEEK.com's Managing Editor News/West Coast. He directs eWEEK's news coverage in Silicon Valley and throughout the West Coast region. He has more than 35 years of experience as a professional journalist, which began as a report with the Hartford Courant daily newspaper in Connecticut. He was also a member of the founding staff of PC Week in March 1984. Pallatto was PC Week's West Coast bureau chief, a senior editor at Ziff Davis' Internet Computing magazine and the West Coast bureau chief at Internet World magazine.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel