Mydoom - PowerPoint PPT Presentation

1 / 10

About This Presentation

Title:

Mydoom

Description:

Number of Views:554

Avg rating:3.0/5.0

Slides: 11

Provided by: boise3

Category:

Tags: dunham | jeff | mydoom

Transcript and Presenter's Notes

Title: Mydoom

1
Mydoom Facts, Fiction Future

Mydoom worms took the world by storm in late
January, 2004. Multiple codes, attacks, and
hijacks have since taken place.

2
Significant Events Leading Up to Mydoom Attacks

SoBig Worms January 2003 August 2003
Blaster DDoS attack against Microsoft Corp.
August 2003
Dumaru, MiMail and other worms are launched in
waves of attacks
Microsoft Corp. offers bounties to track down
malicious code authors
SCO Group buys Unix licenses, ticks off
open-source world
Microsoft Corp. issues patches on 2nd Tuesday of
Each month
2003 shows yet another increase in
vulnerabilities. Several are rapidly exploited
and 0-day becomes a common term.
2004 - A new year begins

3
Mydoom.A Attack

Unlike most e-mail worms, Mydoom.A was correctly
identified by the anti-virus industry as a major
worm from the beginning of the outbreak on Jan.
27, 2004.
Randomized subject, body and attachments. Also
generates many randomized TO addresses from
common names combined with harvested domains
(jeff_at_).
Randomized P2P worm.
May send out attachments in .bat, .cmd, .exe,
.pif, .scr, or .zip. ZIPs are more likely to
bypass the corporate gateway.
Attacks SCO.COM with a DDoS attack.
Acts as proxy and may receive TCP uploads to
execute.
Includes a kill date but requires a restart and
correct date/time routine comparison to remove
itself.

4
Mydoom.B Attack

Discovered in the wild just one day after
Mydoom.A but never gained ground in the wild.
Spreads as a network attack worm/bot to find
computers infected with Mydoom.A (TCP port 3127).
Attempts to update itself on Mydoom.A infected
computers.
Controls uploads by authenticating the upload via
the file size and MD5 value. At least two
uploads allowed.
Attacks both SCO.COM and Microsoft.com in DDoS
attacks.
Has a kill date of March 1, 2004, much later than
that of the Mydoom.A creation.
Overwrites HOSTS file to prevent access to many
sites.

5
Mydoom DDoS Attacks

SCO.COM took servers offline during the attack.
Microsoft.com averted the threat since Mydoom.B
was never that widespread and Microsoft
manipulated traffic management via packet
headers.
Followed by DoomJuice.A which aggressively
attacks Microsoft.com on the 12th onwards. This
could be related to a DDoS against individuals
attempting to access Microsoft Corp. for monthly
patches.

6
Mydoom Hijackings

Mydoom.A computers are going away, new zombie
armies rising up in power and prevalence.
An estimated 1M or more computers available for
hijacking.
Multiple hijacking of Mydoom.A computers.
Vesser.A, DoomJuice.B, DoomShell.BAT, Vesser.B,
DoomJuice.A.DAM, Mitglieder.F, 5 Trojans,
bots/junk.
40 of spam sent through Mydoom.A proxies in one
instance.

7
Mydoom.A Source Code

Mydoom.A source code was included in DoomJuice.A.
This is full source code in C, the keys to the
kingdom.
iDEFENSE predicted new Mydoom variants as a
result. A new minor variant soon emerged, but
thankfully gained little ground in the wild.
New high-volume mass mailing worms are likely in
2004.
SoBig.F multi-threaded engine
High notoriety
Overloads e-mail servers
Increased chance of success
Source code for Mydoom.A makes it that much
easier
DDoS attacks are easy and gaining popularity ever
since Yaha

8
Kill Date Correlations

9
Possible Origin of Attacks
10
Questions Answers Malcode 2004