Antivirus companies have confirmed yesterday's Macworld report claiming a new Internet assault against search engines, including those run by Lycos and Google.
The attack is in the form of a new variant of the MyDoom email worm, called MyDoom.O. It's currently propogating in the wild and has slowed performance at some afflicted search engines.
The worm was first detected on Monday. It arrives in email message attachments that, when opened, install the virus and open a back door that remote attackers can use to access infected machines. While similar to other versions of MyDoom, the O-variant is testing a new approach: using major search engines to harvest email addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Centre.
"The standard scheme is for viruses to look for email addresses in the Web cache," he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an email address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.
Search and destroy
The worm targets Google, Yahoo and Lycos. The AltaVista search engine owned by Overture Services is also a target, according to a statement from Computer Associates International. The Lycos search engine could not be accessed with a browser as this story was filed.
A spokesman for Google acknowledged on Monday that visitors experienced slowness for a short period of time that the company believes was related to the MyDoom worm. The spokesman could not say whether some users were still experiencing slow response at Google.com, but said that the Google Web site was not "significantly impaired" by the attacks. Technical staff at the company are investigating the slowdowns and expect to have service restored for all users shortly, he said.
Yahoo said it noticed the effect of the virus on Yahoo search as result of ongoing surveillance early on Monday and implemented "backup procedures" to compensate for the increased traffic. The company said there was "minimal latency" in its site on Monday morning, but that traffic and systems were running "normally" later on Monday, according to Stephanie Ichinose, a Yahoo spokeswoman.
Threat assessment rising
McAfee rated the new MyDoom version a "medium" threat, citing a large number of virus samples received by the company. Symantec ranked MyDoom.O, which it calls MyDoom.M, a "moderate" threat, indicating a "potentially dangerous" threat to the Internet.
Symantec later updated its threat rating on the new MyDoom variant to a "severe" threat, indicating a dangerous virus or worm that is difficult to contain. The company cited increased prevalence of the new worm on the Internet as a reason for increasing the severity of its warning, according to information provided by the company.
How to spot it
Like previous versions of MyDoom, MyDoom.O arrives in email addresses sent from faked (or "spoofed") email addresses with vague subjects such as "hello", "error", and "status."
The worm uses a number of different ruses to fool email recipients into opening the infected email attachment. Among other things, the virus poses as an administrative message from the user's email server and, ironically, as directions to remove a virus, said Joe Telafici, director of operations for McAfee's Antivirus Emergency Response Team (AVERT).
Like other mass-mailing worms, MyDoom.O avoids sending messages to antivirus company domains such as Sophos and Trend. It also tries to skirt large Web email providers by not sending email to the Hotmail, Yahoo and Google domains, among others, according to antivirus companies.
The worm uses standard search syntax to look for email addresses, which could make it difficult for search engines to separate MyDoom-generated traffic from other Internet queries, Ullrich said.
Ullrich estimated that "a couple of hundred thousand machines" may be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines.
Though MyDoom.O is the fifteenth version of a worm that first appeared in January, and in most ways similar to the variants that came before it, the new techniques used by the latest variant - including its use of Web search engines to harvest email addresses - may be paying off and encouraging the spread of the O version, said Sam Curry, vice president of eTrust Security Management.
In addition to the Web searching, MyDoom.O also has improved features for spreading between computers connected over a peer to peer (P-to-P) network and in the message body, which uses "social engineering" tricks to lure recipients into clicking on the virus file, he said.
"It's one of those things where the whole is greater than the sum of its parts," Curry said. "There's nothing here radically new, but there are some small incremental improvements that are leading to drastic improvements in the worm's ability to spread."
Updated virus definitions available
McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant Telafici said. That's a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first appearing. Some antivirus researchers attribute such spikes to virus "seedings" that use compromised machines, or "zombies," to distribute virus-infected email to millions of machines simultaneously.
CA also upgraded its warnings about the worm to "medium" on Monday. The company said it received more than 1,000 samples of the virus from customers since identifying the worm early Monday.
The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail traffic, Telafici said.
Web performance measurement company Keynote Systems said it noticed a decrease in the responsiveness of 40 major Web sites that it manages, beginning at around 7am Pacific Time (5pm BST) on Monday, said Dan Berkowitz, director of corporate communications at Keynote.
The reliability measurement of the "Keynote Business 40," an index of large and highly trafficked Web sites, decreased by around 1.5 per cent to 95.5 per cent on Monday morning, which experts at the company believe is due to the MyDoom worm, Berkowitz said.
Keynote was still analyzing the slowdowns on Monday, but said that it noticed more-pronounced slowdowns in search features offered by the 40 Web sites during the same period, and that it measured slowdowns at the four search engines targeted by MyDoom.O, he said.
Antivirus companies advised customers to update their virus definitions to detect the MyDoom.O worm.