MyDoom on the attack again

Security researchers have warned that the author of MyDoom.O is already exploiting a backdoor installed by the worm to launch...

Security researchers have warned that the author of MyDoom.O is already exploiting a backdoor installed by the worm to launch further attacks.

The use of a worm to create a launching pad for other threats is a worrying precedent, according to security experts, making it easier for hackers to rally large numbers of readily-available "zombie" PCs for denial-of-service attacks or to spread new viruses.

This emerging technique may also account for the rapid spread of MyDoom.O itself, since an earlier worm, MyDoom.L, was discovered to have similar backdoor functionality, said security firm Symantec.

The worm does not leave PCs vulnerable to any attack, but aims to prevent rival attackers from making use of infected machines - in effect creating a "zombie army" under the control of the worm creator, according to Sophos anti-virus senior technology consultant Graham Cluley.

MyDoom.O, also known as MyDoom.M, includes a feature for keeping track of all known infected systems and lets the worm's author easily upload new binaries, researchers said.

Access to the machines could be a valuable commodity for spammers, virus writers or those wishing to launch a denial-of-service attack, Cluley said.

"More and more people are interested in gaining control over large numbers of zombie computers. The information on these infected PCs could be sold on to others," he said.

The worm's author has already launched a secondary attack in the form of W32.Zindos.A, which is designed to attack the domain.

Zindos.A does not appear to have spread widely so far, possibly in part because of a coding error which slows down the performance of infected machines, Symantec said. Microsoft said it was experiencing no problems with its site.

However, future attacks are likely to be on the way, researchers said. While MyDoom.O's spread has dropped steadily since soon after its initial appearance, a large number of infected PCs are still likely to be available.

E-mail outsourcing firm MessageLabs said it had intercepted more than 980,000 copies of the worm as of midday on Wednesday.

"It is still a threat," said Katrin Tocheva, team manager with F-Secure. "It's not as bad as Monday, but it is still out there - there are hundreds of thousands of infected computers all over the world."

And MyDoom.O's success at disabling the Google search engine should demonstrate the danger denial-of-service attacks pose, experts said.

"If there's a determined attack, there's not much you can do," said Cluley. "If you can disrupt Google, you can probably hit anyone on the Internet. It shows the power of a lot of computers working together."

An unrelated denial-of-service attack brought the DoubleClick advertising network down for several hours on Tuesday, disrupting many sites that displayed DoubleClick advertisements.

The real problem is the existence of millions of unprotected PCs on the internet, mostly belonging to home users who are unaware their machines are being used to launch attacks, said Cluley. He suggested ISPs could play a more active role in protecting such PCs.

Matthew Broersma writes for

Zindos capitalises on MyDoom.O infections >>

Read more on IT risk management