A new attack against MyDoom-infected machines has been identified by security specialists mi2g.
This attack: "Has been designed to make money and definitely appears to be the handiwork of organized crime," mi2g warns.
A new malware called Deadhat has appeared. MyDoom a- and b-infected machines are being colonized by Deadhat, which has "some sinister cryptographic features", the analysts warn. Deadhat is coming ever closer to a Distributed Intelligent Malware Agent (DIMA).
"On the face of it Deadhat appears to be relatively useless but it has a darker side: it is the type of distributed intelligent malware agent with crypto control that has been conceived for the perfect colonization of MyDoom-infected machines."
Deadhat does not spread through email. Instead, it actively seeks to install itself through the backdoor opened by MyDoom.a and MyDoom.b infected machines by searching for their tell-tale open ports.
When it takes control of the infected machines it removes all traces of MyDoom and copies itself to the SoulSeek file-sharing system (if installed). In the process, the open ports of MyDoom are closed and Deadhat then opens a new TCP port and awaits further instructions which must be authenticated with a cryptographic key. If the authentication is successful, the backdoor accepts a file for upload and execution.
Deadhat's Internet Relay Chat (IRC) component connects to a predetermined IRC server and listens on a specific channel for further commands. The backdoor supports different commands to download and execute specific programs on infected computers.
mi2g executive chairman DK Matai warned: "After Deadhat has proliferated, the large army of MyDoom zombies will surrender control to Deadhat's perpetrators and nobody else.
"Post-Deadhat, any Web site could be held to ransom or infected machines could be used for spam campaigns and phishing scams without the owners' knowledge."