The latest version of the MyDoom virus suggests that the much dreaded Zero Day attack may have arrived, say security experts.
Zero Day refers to a worm or virus that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. The newest version of MyDoom appeared only two days after a security flaw in Internet Explorer was made public by two hackers.
What's different about this version of MyDoom is that instead of attaching itself to an e-mail as an executable program, it appears as a web link within the text of an e-mail message. Clicking on the link will direct the browser to another website that will exploit an IFrames vulnerability in IE and infect the machine the browser is running on.
"Up until today, every worm that came out had a fix and that fix was out there for some time," said Stuart McClure of Foundstone Strategic Security.
McClure suggested it would only be a short time before a worm or virus appeared exploiting an unknown vulnerability and no mechanism existed to fix it. The time difference between when security vulnerabilities become known and exploits are created to take advantage of them has been shrinking. Two years ago, that time difference was between four and six weeks.
"For the first six months of this year, the time difference was about 5.8 business days, and in this most recent case it was just two days," said Alfred Huger, senior director of engineering with Symantec. "It is extremely difficult for a vendor to put out a patch in that short a time."
Carol Terentiak, security strategy and response manager with Microsoft Canada, said the latest version of MyDoom suggested virus and worm writers were now going beyond merely tweaking existing virus code and doing more sophisticated work by first prising apart the systems they wanted to compromise and looking for problems.
There was also some suggestion that the release of the virus was timed to disrupt Microsoft's monthly security bulletins. Each month, Microsoft releases a security bulletin that gives customers information about security issues, exploits and fixes. The timing of the latest MyDoom variant suggested to some that its author may have hoped to show the bulletin was inadequate in providing up-to-date security information and fixes to Microsoft customers.
Terentiak said she was not aware of that being the case and added that Microsoft users who had installed Service Pack 2 for Windows XP already had more protection from this virus. SP2 comes with built-in protection against the kinds of exploits that MyDoom tries to perpetrate.
Microsoft is now working on a separate patch for the vulnerability in IE.
Terentiak advised users to consult either www.microsoft.com/security or www.microsoft.com/protect for more information.
Tom Venetis writes for IDG News Service