Security researchers have warned that the author of
MyDoom.O is already exploiting a backdoor installed by the worm to
launch further attacks.
The use of a worm to create a launching pad for other threats is
a worrying precedent, according to security experts, making it
easier for hackers to rally large numbers of readily-available
"zombie" PCs for denial-of-service attacks or to spread new
viruses.
This emerging technique may also account for the rapid spread of
MyDoom.O itself, since an earlier worm, MyDoom.L, was discovered to
have similar backdoor functionality, said security firm
Symantec.
The worm does not leave PCs vulnerable to any attack, but aims
to prevent rival attackers from making use of infected machines -
in effect creating a "zombie army" under the control of the worm
creator, according to Sophos anti-virus senior technology
consultant Graham Cluley.
MyDoom.O, also known as MyDoom.M, includes a feature for keeping
track of all known infected systems and lets the worm's author
easily upload new binaries, researchers said.
Access to the machines could be a valuable commodity for
spammers, virus writers or those wishing to launch a
denial-of-service attack, Cluley said.
"More and more people are interested in gaining control over
large numbers of zombie computers. The information on these
infected PCs could be sold on to others," he said.
The worm's author has already launched a secondary attack in the
form of W32.Zindos.A, which is designed to attack the Microsoft.com
domain.
Zindos.A does not appear to have spread widely so far, possibly
in part because of a coding error which slows down the performance
of infected machines, Symantec said. Microsoft said it was
experiencing no problems with its site.
However, future attacks are likely to be on the way, researchers
said. While MyDoom.O's spread has dropped steadily since soon after
its initial appearance, a large number of infected PCs are still
likely to be available.
E-mail outsourcing firm MessageLabs said it had intercepted more
than 980,000 copies of the worm as of midday on Wednesday.
"It is still a threat," said Katrin Tocheva, team manager with
F-Secure. "It's not as bad as Monday, but it is still out there -
there are hundreds of thousands of infected computers all over the
world."
And MyDoom.O's success at disabling the Google search engine
should demonstrate the danger denial-of-service attacks pose,
experts said.
"If there's a determined attack, there's not much you can do,"
said Cluley. "If you can disrupt Google, you can probably hit
anyone on the Internet. It shows the power of a lot of computers
working together."
An unrelated denial-of-service attack brought the DoubleClick
advertising network down for several hours on Tuesday, disrupting
many sites that displayed DoubleClick advertisements.
The real problem is the existence of millions of unprotected PCs
on the internet, mostly belonging to home users who are unaware
their machines are being used to launch attacks, said Cluley. He
suggested ISPs could play a more active role in protecting such
PCs.
Matthew Broersma writes for Techworld.com
Zindos capitalises on MyDoom.O infections >>