Already labelled as the one of the most damaging worms ever, the Mydoom malicious code is proving to be a boon for hackers and spammers but of little consequence to those Canadian companies that took security up a notch after last year’s spate of worms.
The Bank of Montreal (BMO), a company which was already replete with security technology, has “incorporated the lessons learned last year,” said Robert Garigue, the financial institution’s Toronto-based chief information security officer. “There has been a transformation.”
Last year’s Slammer and Blaster worms, referred to as a “shot over the bow” by Symantec Canada’s general manager Michael Murphy, were a painful lesson that convinced many companies to pay more attention to security.
Garigue said BMO is doing a better job of patch management, monitoring the currency of its applications, operating systems and antivirus management. The resultant system “is a series of rings to ensure as much defence as possible,” Garigue said. Mydoom was “filtered off at the gateway,” he said, though BMO security experts did see “indications of it arriving.” Since BMO quarantines all e-mail attachments (it sends recipients a notice that they can retrieve the attachment if needed), Mydoom was ineffectual. But even if an infected laptop had made it through, internal systems would have picked up on the abnormal behaviour of Mydoom trying to e-mail itself out. “We have agents that look for that kind of activity,” Garigue said.
Unlike last year, Garigue said, this time around he and his counterparts at other Canadian financial institutions seem to have been unaffected. A spokesperson for the Royal Bank concurred, saying it was not affected by Mydoom.
Simon Tang, senior manager, security services with Deloitte in Toronto, said the small business and consumer markets were hardest hit since neither possess the multi-tiered defence systems that larger corporations have in place. Having said that, he agrees with the prognosis that it is one of the worst worms seen in recent years. “It is definitely spreading at a very fast pace, faster than Blaster,” he said.
Kevin Krempulec, the Toronto-based Canadian channel manager for Symantec Corp., said at the end of Jan. 27 its statistics back up this conclusion. Of the 246 Mydoom submissions it received from Canadian customers, only 10 were from corporate clients.
Like most malicious code, a new variant soon followed. The b variant of the Mydoom has a rather tricky little bit of host file modification incorporated into it, Tang said. An infected computer is prevented from accessing most antivirus vendor’s sites to download a fix. The list includes over 50 blocked sites. Though a user can enter the antivirus company’s IP address in a browser address bar to circumvent the worm’s intentions (or open the host file and delete the modification), this requires a level of tech savvy beyond most end users, he added.
Tang said that the true intention of Mydoom is a bit of a mystery. Both variants are designed to launch denial of service attacks (against sco.com and microsoft.com respectively) and both also are designed to leave ports (3127 to 3198) opened for hackers to access at a future date. Krempulec said Symantec is already noticing an increase in activity on the Internet of 3127 port scans. There are hypotheses that the open ports, or back doors, on infected machines will be used by spammers as e-mail relays in the future but Krempulec said “it is hard to pinpoint the different motives for hackers and virus writers.” Another concern is that hackers will install keystroke logging software on infected machines and steal user names and passwords.
Symantec and other antivirus vendors have a fix available that will delete Mydoom and close the opened ports. Mydoom is e-mail client agnostic and affects most all versions of Windows including 95, 98, NT, XP, Me and 2000. It is believed to have infected as many as 300,000 machines worldwide and is still spreading.