The newest version of the MyDoom virus suggests to security experts that the much-anticipated Zero-Day attack may have already arrived.
Zero Day refers to an exploit, either a worm or a virus, that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. This version of MyDoom appeared only two days after a security flaw in Windows IE was made public by two hackers, according to reports.
What’s different about this version of MyDoom is instead of attaching itself to an e-mail as an executable program, it appears instead as a Web link within the text of an e-mail message. Clicking on the link will direct a person’s browser to another Web site that will exploit an IFrames vulnerability in IE and thereby infect that person’s machine.
“Up until today, every worm that came out had a fix and that fix was out there for some time,” said Stuart McClure, president and CTO of Foundstone Strategic Security (a division of McAfee Inc.) in Mission Viejo, Calif.
McClure suggests it will only be a short time before a worm or virus appears exploiting an unknown vulnerability and no mechanism to fix it. The time difference between when security vulnerabilities become known and exploits are created to take advantage of those flaws has been shrinking for some time. Two years ago, that time difference was somewhere between four to six weeks.
“For the first six months of this year, (that time difference) was about 5.8 business days, and in this most recent case it was just two days,” said Alfred Huger, senior director of engineering with Symantec Corp. in Calgary. “The problem is that it is extremely difficult for a vendor to put out a patch in that short of a time.”
Carol Terentiak, security strategy and response manager with Microsoft Canada Co. in Mississauga, Ont., says this version of MyDoom suggests virus and worm writers are becoming more sophisticated, that persons are going beyond merely tweaking existing virus code and doing more sophisticated work by first prying apart and looking for problems in the systems they may want to compromise.
There was some suggestion that the release of the virus was timed to disrupt Microsoft’s monthly security bulletins. Each month, Microsoft releases a security bulletin that provides customers with information about security issues, exploits and fixes that are available. The timing of this MyDoom variant suggested to some that its author may have hoped to trip-up the bulletin by showing it to be inadequate in providing up-to-date security information and fixes to Microsoft customers.
Terentiak says she is not aware of that being the case. She adds Microsoft users who have installed Service Pack 2 for Windows XP were already at a reduced risk of having problems with this virus. Service Pack 2 comes with built-in protections against the kinds of exploits that MyDoom tries to perpetrate on a machine. Still, Microsoft is working on a separate patch for the vulnerability in IE.