Mydoom

Latest Mydoom Virus May Signal Dreaded 'Zero Day' Attack

Reprinted From: Computerworld NOV 15, 2004

The latest version of the Mydoom virus suggests to security experts that a much-anticipated "zero day" attack may have already arrived.


"Zero day" refers to an exploit, either a worm or a virus, that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. This week's version of Mydoom appeared only two days after a security flaw in Windows Internet Explorer was made public by two hackers, according to reports.


What's different about this version of the virus is that instead of attaching itself to an e-mail as an executable program, it appears instead as a Web link within the text of an e-mail message. Clicking on the link will direct a person's browser to another Web site that will exploit an IFrames vulnerability in Internet Explorer and thereby infect that person's machine.


"Up until today, every worm that came out had a fix and that fix was out there for some time," said Stuart McClure, president and chief technology officer of Foundstone Strategic Security in Mission Viejo, Calif.


McClure suggests that it will be only a short time before a worm or virus appears exploiting an unknown vulnerability with no mechanism to fix it. The time difference between when security vulnerabilities become known and exploits are created to take advantage of those flaws has been shrinking for some time. Two years ago, that time difference was somewhere between four and six weeks.


"For the first six months of this year, [that difference] was about 5.8 business days, and in this most recent case, it was just two days," said Alfred Huger, senior director of engineering at Symantec Corp. in Calgary, Alberta. "The problem is that it is extremely difficult for a vendor to put out a patch in that short of a time."


Carol Terentiak, security strategy and response manager at Microsoft Canada Co. in Mississauga, Ontario, said this version of Mydoom suggests that virus and worm writers are becoming more sophisticated and going beyond merely tweaking existing virus code. They are doing more sophisticated work by first prying apart and looking for problems in the systems they may want to compromise, she said.


There was some suggestion that the release of the virus was timed to disrupt Microsoft's monthly security bulletin. Each month, Microsoft releases a security bulletin that provides customers with information about security issues, exploits and fixes that are available. The timing of this Mydoom variant indicated to some that its author may have hoped to trip up the bulletin by showing it to be inadequate in providing up-to-date security information and fixes to Microsoft customers.


Terentiak said Microsoft users who have installed Service Pack 2 for Windows XP are already at a reduced risk of having problems with this virus. Service Pack 2 comes with built-in protections against the kinds of exploits that Mydoom tries to perpetrate. Still, Microsoft is working on a separate patch for the vulnerability in Internet Explorer.


Terentiak advised people who are concerned to check online at either www.microsoft.com/security or www.microsoft.com/protect for more information.