Doomjuice Worm Puts New Squeeze on IT

Computer security experts thought the impact of MyDoom would fade on February 12th, as the program was reportedly designed to terminate itself on that date.

Instead, MyDoom’s creators are suspected of masterminding a new malware attack that started Monday. The new worm, Doomjuice, landed on every computer still harboring the original MyDoom.A or MyDoom.B strain.

Vincent Gullotto, vice president of McAfee Security’s AVERT team at Network Associates, suspects 50,000 to 75,000 machines may still be at risk, based on the number of infections seen at the height of MyDoom.A, but he said no samples were received from the field Monday.

“My concern is if it begins to move, and that is still possible, it will probably infect the home user segment, since most corporations will have cleaned any computers infected with MyDoom,” Gullotto told the E-Commerce Times.

One-Two Punch

First, Doomjuice spreads to computers infected with the MyDoom worm, entering through a previously established backdoor. To locate machines that have the backdoor, Doomjuice scans random IP addresses and attempts to connect to port 3127.

Harnessing the power of those connections, it then launches a distributed denial-of-service (DDoS) attack. “The most public thing you’ll see is a DDoS attack on Microsoft’s site between February 8 and 18,” F-Secure systems engineer Tony Magallanez told the E-Commerce Times. In recent weeks, DDoS attacks stemming from MyDoom have caused a noticeable slowdown in Internet traffic worldwide.

Making matters potentially worse, a second worm in the wild, Deadhat, removes the MyDoom virus from victims’ computers but then installs a more lethal program that resides undetected and appears to await further instructions.

F-Secure and other security firms say Deadhat targets users of Soulseek file-sharing software but is not likely restricted to that service. Similar file-sharing technology that lets users collaborate on files and swap music and movies also can be exploited in this way.

Target: Broadband Home Users

Further incidences of infection likely will be seen among home users with digital subscriber lines (DSL) and cable modems, according to Magallenez. “Firewalls alone are not sufficient protection,” he said. “Users now want to incorporate three things into their personal arsenal: antivirus software, firewalls and, becoming more important, application control software to identify which applications are trying to access the Internet and allow or deny permission. Especially with the prevalence of remote workers and laptop use so overwhelming, a corporate user can get infected working at home and bring that worm into the office.

“Because the Doomjuice worm delivers onto the root of every hard drive on every machine the source code of the original MyDoom.A, and puts code there for anyone to recompile and send out, it will likely be very popular to copy in the future. It allows a virus writer to recuse himself of guilt,” Magallanez added. “Until now, one way of proving a case against a hacker was confiscating a machine to see if source code was on it. Now, though, the source code will be on tens of thousands of machines.”

Independent investigations geared toward finding the worm’s creators are under way at law enforcement agencies. Meanwhile, Microsoft and SCO each has offered a reward of US$250,000 for information leading to the arrest and conviction of those responsible for unleashing the MyDoom.A and MyDoom.B worms.

More Doom?

Gullotto told the E-Commerce Times that Doomjuice is more than just a worm. “Doomjuice is clearly a step toward … some type of conspiracy,” he said. “More copycat worms might be forthcoming, since this latest threat makes the source code available to anyone.”

Doomjuice’s immediate impact may be less severe than that of MyDoom because most people cleaned MyDoom off their computer. “However,” Gullotto said, “given they now have proof-of-concept laid down and to the extent we’ve seen virus writers change focus in the past 18 months, producing not just mass mailings but machines compromised and opened up, some segment of the virus-writing community might move toward this. Even if such a program has only half the potential of MyDoom or last year’s SoBig, it could create a zero-day attack.”