 |
 MyDoom "backdoor" capitalized in launching attacks on prominent Web Servers
July 29, 2004
As many security researchers feared after analyzing the code for MyDoom.O, a second, related attack began on early Tuesday with a new piece of code using the back door installed by MyDoom.O to spread itself and launch a DDoS (distributed denial of service) attack against Microsoft.com.
The new attack uses MyDoom-infected systems to launch a denial-of-service attack against Microsoft's Web site, says Ken Dunham, director of malicious code at security firm iDefense Inc., in an E-mail alert.
MyDoom.O installs a Trojan known as Zincite.A on every PC that it infects. The Trojan opens TCP port 1034 and listens for further commands. Zindos spreads itself by scanning for machines listening on port 1034. When it finds one, Zindos copies itself to the infected PC and then Zincite executes the copy.
Zindos then creates an executable file and launches a DDoS attack against Microsoft Corp.'s main Web site.
Once the infection process is complete, Zindos.A attempts to attack Microsoft.com with a denial-of-service attack.
Zindos can infect Windows machines without any interaction from the computer user, modifying the configuration of Windows so that the worm is started along with the Windows operating system. Once installed, Zindos begins searching for other MyDoom-infected machines to send copies of itself to, Symantec said.
Analysts at Symantec Corp. said Tuesday that they had discovered a previously unknown function in MyDoom.O that keeps track of every system the worm infects. Symantec's analysts recon that Zindos is being used as an updating mechanism for the MyDoom worms, which means that their behavior and characteristics could change at any time.
Though Zindos' main goal is to cripple Microsoft Corp.'s main Web site, those systems still reeling from the MyDoom strike Monday and left unprepared also could suffer from a Zindos hit. Leading Web sites all experienced significant slow downs during the period covered by the MyDoom attack, including Web pages for the Washington Post, New York Times, CNet Networks, Nortel Networks, and InfoWorld magazine, according to Keynote Systems, a Web performance measurement company in San Mateo, California.
Only computers running Microsoft's Windows operating systems are affected.
The Zindos worm infects computers already infected by MyDoom-O and launches an attack against the Microsoft web site.
As Graham Cluley, Senior Technology Consultant for Sophos put it,
"Three minutes after a PC is infected by the Zindos worm, it will begin to launch a denial of service attack against Microsoft's main web site - www.microsoft.com. All computer users have a responsibility to ensure their PCs are secured with up-to-date anti-virus and firewall protection to ensure they are not unknowingly collaborating with the virus writer's illegal activity."
|
|
