Biz Report - Security
Monday, July 26, 2004

An Internet worm that uses Web search engines to find new victims spread widely on Monday, apparently causing problems for Google Inc. on the day it set the price range for its initial public offering, Internet security experts reported.

The reports about the worm, a variant of a Web attack called MyDoom, came as outages on the search site Google.com hit in the United States, France and Great Britain. In many places the site was said to be working normally.

"The latest version of MyDoom, which started arriving in people's mail boxes in force today, uses search engines to find more recipients for its message," security research service SANS reported on Monday. "Some search engines report performance issues."

Web site performance slowed broadly on Monday, suggesting the possibility that a virus or other Internet attack may be causing problems, said Keynote Systems Inc. , a Web performance tracking firm.

"It could be an indication that something is impacting the Internet overall. We are certainly looking into it and also looking into the possibility of some sort of attack. We are starting to see things creep up," said Keynote spokeswoman Della Lowe. "

What I find kind of intersting is that it hit Yahoo and Alta Vista yet when you read the article on Yahoo it says... Worm hits Google and slows search engine! and goes on and on and then near the end it says Oh yeah and by the way it also hit Yahoo

Update.

This story appeared on Network World Fusion at
http://www.nwfusion.com/news/2004/0726mydoom.html


MyDoom.O hammering search engines
By Paul Roberts
IDG News Service, 07/26/04

Anti-virus software companies are warning e-mail users about a new version of the MyDoom e-mail worm, dubbed MyDoom.O, which is spreading on the Internet and causing slowdowns at search engines, including those run by Lycos and Google.

Leading anti-virus software companies issued alerts for MyDoom.O, which was first detected Monday and arrives in e-mail message attachments that, when open, install the virus and open a back door that remote attackers can use to access infected machines. While similar to other versions of MyDoom, the O-variant is testing a new approach: using major search engines to harvest e-mail addresses on Web domains that it discovers, slowing those sites, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

"The standard scheme is for viruses to look (for e-mail addresses) in the Web cache," he said, referring to the store of previously visited Web pages stored on computer hard drives. But if MyDoom.O finds an e-mail address, in addition to sending a copy of itself to the address, it also does a Web search on the Web domain and uses the search results to discover more addresses in that domain, according to Ullrich.

Ullrich estimated that "a couple hundred thousand machines" may be infected with MyDoom.O. Those machines can generate huge volumes of search requests, which appear to be bogging down major search engines. A number of sources reported difficulty reaching Google, Yahoo and other sites Monday. The Lycos search engine could not be reached as this story was filed.

Google declined to comment for the story. Yahoo was unable to immediately comment.

McAfee rated the new MyDoom version a "medium" threat, citing a large number of virus samples received by the company. Symantec ranked MyDoom.O, which it labeled MyDoom.M, a "moderate" threat, indicating a "potentially dangerous" threat to the Internet.

Like previous versions of MyDoom, MyDoom.O arrives in e-mail addresses sent from faked (or "spoofed") e-mail addresses and with vague subjects such as "hello," "error," and "status."

The worm uses a number of different ruses to fool e-mail recipients into opening the infected e-mail attachment. Among other things, the virus poses as an administrative message from the user's e-mail server and, ironically, as directions to remove a virus, said Joe Telafici, director of operations for McAfee's Antivirus Emergency Response Team (AVERT).

McAfee received about 40 MyDoom.O virus samples per hour since first identifying the new variant at around 6:30 a.m. Pacific Time, Telafici said. That's a more sustained rate than recent outbreaks like Bagle.AF, which died out quickly after first appearing. Some anti-virus researchers attribute such spikes to virus "seedings" that use compromised machines, or "zombies," to distribute virus-infected e-mail to millions of machines simultaneously.

The fact that MyDoom.O submissions have remained high may be evidence that the virus is spreading and generating its own mail traffic, Telafici said.

At Boston College in Chestnut Hill, Massachusetts, network administrators saw a spike in MyDoom.O e-mail between 7:00 a.m. and 10:00 a.m. Eastern Time, but the virus-generated e-mail dropped off sharply after anti-virus companies, including McAfee and Sophos, released virus definition updates to detect MyDoom.O, said David Escalante, director of computer security at the college.

Anti-virus companies advised customers to update their virus definitions to detect the MyDoom.O worm.