Diary Of A Virus
Within 24 hours of its release, the MyDoom virus had flooded the world’s email networks, making it the fastest-spreading virus ever.
Published in The Guardian Feb 04
They first detected it at 13:03 GMT, 10 days ago. An innocuous attachment in an email sent from Russia triggered a minor alarm at the Global Operations Centre of Messagelabs, a leading email security firm. No one paid it much attention. Just another new virus, one of the handful that are trapped, analysed and blacklisted every day in the darkened bunker in Gloucester they call the war room. Little did they know…
Here, like mission control, a large map of the world hangs over rows of terminals. A staff of pale, young operators work around the clock, filtering more than 30m emails a day for the UK government, international banks and other large organisations. Monitors spool incomprehensible code like screens from The Matrix. Viruses, spam and other “malware” are checked upstream by expensive super-processor towers before they can reach their client’s computers.
Initially, the number of copies of the new virus - christened MyDoom after a misspelling of “my domain” in its code - were small, just a few hundred. Three other, more dangerous looking viruses were swirling around the world’s email networks at the time.
“We were concentrating on those,” says Alex Shipp, a senior anti-virus technologist. “MyDoom wasn’t that interesting.”
Unexpectedly, within just a few hours, MyDoom numbers started to rise: to 40,000, then to 80,000, then 100,000. “We were on the phone to everyone,” says Shipp. “‘Drop everything. Get your anti-virus signatures out as soon as possible.’”
It was too late. At 9pm GMT, after eight hours gestation in the wild, MyDoom spiked. Millions of copies poured across the internet and all hell broke loose. Email servers around the world buckled. By the time it reached its peak last Tuesday week, one in 12 emails in the world was MyDoom-generated.
This tiny sliver of code had wiped out the records of August’s Sobig and the legendary Lovebug worm of 1999 to become the fastest-spreading virus of all time.
2.
MyDoom, like most viruses, was easy to detect, but stopping it spreading was another matter. Messagelabs’ heuristic virus-recognition engine, known as Skeptic, spotted it instantly. However home users and small companies, unable to use this lightning corporate filter, had to rely on consumer level anti-virus software with one main flaw. Most of it relies on constantly downloaded fingerprints or “signatures” to recognise and block newly discovered viruses.
“Once a signature is installed, you’re protected,” says Paul Woods, chief information security analyst at Messagelabs. “The problem arises in the time between the virus appearing and the signature being released and installed - the so-called ‘window of vulnerability’.”
The duration of this window is crucial to whether a virus succeeds or fails. With a short window, say an hour or two, the virus is usually snuffed out before it can become a threat. A longer window, however, gives the virus enough time to propagate millions of copies of itself without being detected. This was the case with MyDoom. Even working as fast as they could, anti-virus technicians took eight hours to start cranking out the first signatures.
Eight hours during peak European and American business hours was more than enough time for the super-distributed virus to reach critical mass. By 9pm on Monday, thousands of people were opening it. It began replicating exponentially, shedding millions of copies of itself in all directions.
Previous viruses have masqueraded as love letters or even as emails from the FBI. MyDoom’s genius was to disguise itself as an error message. “Mail delivery failed: returning message to sender” reads one of its terse subject lines. A text or Zip file of the message appears to be attached. Open it and the virus is activated. Thousands fell for the ruse. MyDoom has a further twist. Once activated, most modern viruses send themselves to a selection of email addresses found on the infected hard drive - and then stop. “But MyDoom loops forever,” says Mikko Hypponen, Anti-virus Director at F-secure, “sending more and more infected messages to every single address found on the hard-drive for ever and ever”.
Worse things, however, were in store for the Utah-based software company SCO. In an act of apparent terrorism, MyDoom and all its copies were programmed to attack www.sco.com simultaneously at 16.09 GMT on February 1. And right on time, more than a million computers attempted to load the company’s web homepage three times a second. It was the largest distributed denial of service attack seen on the net. The site folded. SCO quickly pulled the plug.
Another less successful variant of the virus, MyDoom.B, tried a similar attack on Microsoft.com, but it was shrugged off. This attack may give a clue to the identity of the author. SCO is embroiled in an ugly dispute with the web’s open source community and its free operating system, Linux. SCO claims key parts of its copyrighted Unix code have found its way into Linux. It is suing IBM, Red Hat and Novell, and demanding that individual corporate users pay a licence fee. This has made the company very, very unpopular in some circles.
“Whoever wrote MyDoom is definitely a Linux fan,” says Jack Clark, technology consultant at McAfee Associates, an anti-virus company. Most Linux users, however, condemn the virus author. “Well, you stupid, ignorant bastard, if you’re reading this - no one admires you,” reads one post on tech community site Slashdot.org .
However, there is speculation that these website attacks are just a smokescreen to hide the real motivation behind the virus. MyDoom installs a backdoor that turns infected machines into spam relay robots. Anyone with the virus could become the unwitting propagator of penis engorgement and toner cartridge deals.
“I think it’s because now spam is such a big business, obviously some guy is paying people to write these things,” Paul Woods, an analyst at Messagelabs, says. Other viruses have pioneered this technique. He believes an unholy alliance between spammers and virus writers will define the nature of future threats. But not everyone agrees with him. “I believe the virus writer just simply thought: ‘I may as well throw this feature in’,” says McAfee’s Clark.
The experts do agree on one thing: there will be many more viruses to come. “These things come in two or three-month cycles,” explains Messagelab’s Shipp. “After a big virus, everyone becomes extra vigilant with their anti-viruses, but after a while, it tails off. They forget or can’t be bothered. That’s when another virus sneaks through.”
It’s also easy to make viruses. Freely available toolkits can auto-generate them at the touch of a button. “In the old days, it was a skillful task. Nowadays, anyone who wants to can write a virus,” says Shipp.
The Anna Kournikova virus, which caused widespread chaos in 2001, was kit-produced, using mostly default settings. The 20-year-old Dutch author surrendered to police. Despite $250,000 bounties offered by both SCO and Microsoft, there’s little chance of the MyDoom writer even being tracked down.
“The writer may be American, compromising a machine in China, to send stuff from Russia,” says Shipp. “Besides, if I was him, my computer would be at the bottom of a deep lake by now.”
3.
Virus outbreaks may be dramatic, maintain experts, but they are just occasional annoyances compared to spam. A massive 62% of all email in the world is now spam. On a visit to the UK last week, Bill Gates signalled Microsoft’s focus on developing email technology to allow recipients to verify the sender of emails. “This is critical for security,” he said, “and for getting rid of spam.”
While welcoming the comments, some security experts are more pessimistic, even fatalistic. “Email is dying,” says Hypponen. “It’s coming to its end.” Any day now, he says, a MyDoom-style virus could quickly overload and break the entire email system without a chance of recovery - simply by sending out millions of generic, unfilterable messages in a loop, round the clock, forever. Then we would have to drop email as we know it. Every email server, every email client in the world.”
Back in the Messagelabs war room, the atmosphere is less apocalyptic. More than a week later, they are still at level one, high alert. MyDoom is programmed to self-destruct on February 12, Paul Wood explains. No one is quite sure why, but it is unlikely to signal the end of MyDoom. Previous viruses had cut-off dates but copies still circulate in the wild and probably will forever.
“There’s so many computers out there using old operating systems with the date and time set incorrectly or with their battery flat,” he says. “Lots of viruses are coming out of those machines.”
Also, many people simply don’t use anti-virus software. Now, and in the future, it will always be this underclass of uneducated users who will spread the infection. “Eventually, there may be two internets,” he says. “A clean one where security is part of the infrastructure, and a ‘dirty internet’ for all the old insecure technologies and people who just can’t be bothered.”
Wood eyes the world map and sighs. Whole swathes are still glowing red, showing the spread of the MyDoom virus. And the phones keep ringing.
No Comments, Comment or Ping
Reply to “Diary Of A Virus”