As victims clean up, Mydoom mail keeps coming

IDG News Service - The Mydoom e-mail worm that first appeared Monday is spreading more slowly, but the flood of infected e-mail messages it is generating shows no sign of abating, according to antivirus and e-mail security companies.
As organizations clean up following the outbreak, attention is turning to the enormous network of infected machines that continues churning out e-mail messages and will launch a 12-day-long distributed denial-of-service (DDoS) attack against Unix software company The SCO Group Inc. on Sunday, said Mikko Hypponen, antivirus research director at F-Secure Corp.
E-mail security company MessageLabs Inc. in Gloucester, England, has stopped 8.4 million e-mail messages containing copies of the worm since Monday, said Natasha Staley, information security analyst at MessageLabs. "The virus has slowed down from the first 24 or 48 hours, but it's still out there in pretty huge numbers," she said.
About 20% of the e-mail received by servers owned by the city of Boston are Mydoom-generated e-mail. So far this week the city has received "thousands and thousands" of Mydoom messages, said Craig Burlingame, the city's CIO.
To the south, North Carolina State University in Raleigh is still receiving about 1 million Mydoom e-mail messages per day, five days after Mydoom first broke out on the Internet, said Tim Lowman, a systems architect at NC State. The university has been receiving about 2.4 million messages per day since the outbreak began, double its normal volume, which is taxing mail servers, but has not slowed the delivery of e-mail, he said.
The flood of Mydoom e-mail is a credit to the worm's superefficient SMTP engine and to a slightly different approach to sending mail from earlier worms such as Sobig-F, Hypponen said.
Unlike earlier e-mail mass mailing worms, Mydoom not only sends e-mail messages to the addresses it culls from infected machines, but also keeps sending mail to those same addresses in a never-ending loop, until the virus reaches its Feb. 2 expiration date, he said.
NC State saw infections on about 500 of the 30,000 to 40,000 hosts on the university network. Most of those infections were linked to systems in student dormitories, despite the fact that students received free copies of Symantec Corp.'s Norton Antivirus software from the university, Lowman said.

However, after suffering through an outbreak of the Sobig worm, NC State deployed a series of e-mail "governors" across the campus, monitoring mail traffic from individual hosts, and limiting each host to no more than 100 messages per hour. Despite an ice storm that shut down the campus on Monday, just as Mydoom was circulating, the governors were able to shut off e-mail access for Mydoom-infected hosts and keep them from sending out e-mail copies of the virus, he said.
"Most of our response was handled by automated processes, and I was very pleased with how that worked," he said.
While organizations and individuals mop up after Mydoom, attention is shifting to the planned DDoS attack that the worm will launch on The SCO Group's Web site Sunday.
Network Associates Inc.'s McAfee antivirus unit said late yesterday that between 400,000 and 500,000 machines worldwide are believed to be infected with Mydoom. F-Secure puts the number at a "couple hundred thousand" hosts, Hypponen said.
Whatever the exact number, the Mydoom author has a "huge" network with which to launch an attack, Hypponen said.
Even large companies such as Microsoft Corp. would be challenged to handle traffic from so many systems. SCO is not such a company and has been knocked off-line by much smaller DDoS attacks in the past, he said.
SCO didn't immediately respond to a request for comment.
At NC State, administrators are worried more about compromised machines being procured by spammers than they are about them being used as zombies in a DoS attack, Lowman said.
NC State has been careful to maintain good relationships with antispam blacklist organizations in the past and doesn't want to risk getting blacklisted because spammers take advantage of a back door created by Mydoom on infected machines, he said.
The university's IT staff is busy patching infected systems and will monitor their e-mail use closely in the future, using the e-mail governors to cut off so-called "chatty hosts" that start to distribute large volumes of e-mail, he said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.