A variant of the MyDoom worm sparked a data flood at Microsoft’s main Web site Tuesday but had little effect.
The company was able to fend off the attack because it had ample warning that the malware would strike. Also, the variant, MyDoom.B, was less widespread than the first version, which hit an estimated 2 million PCs.
However, the MyDoom worm is far from dead. Microsoft has issued an alert about the issue, warning that infected machines may be experiencing difficulties when attempting to access Microsoft.com and some antivirus vendors’ sites.
“Microsoft is very adept at being prepared for emergencies,” Aberdeen Groupanalyst Peter Kastner told the E-Commerce Times. “They were already focused on security, so it’s not surprising that they would be ready.”
According to Mikko Hypponen, director of antivirus research in F-Secure’s Helsinki, Finland, office, the worm currently tries to connect to the Microsoft home page 10 times every three seconds.
Hypponen told the E-Commerce Times that he would have been taken aback if Microsoft had reported significant problems as a result of the worm. “They knew well ahead of time, and that enabled them to take measures,” he said. “Also, because this variant wasn’t as widespread, we knew the Microsoft site wouldn’t be going down.”
Although Microsoft would not discuss specifics on how it prevented the distributed denial-of-service (DDoS) attack, the company said in a statement that administrators have been working for two days to prepare for the attack.
The company also noted, “We aggressively worked with our Virus Information Alliance partners to help protect customers from this outbreak.”
Microsoft has set up a new site, http://information.microsoft.com, that contains information about MyDoom for individuals who cannot access the company’s homepage as a result of the worm.
Machines that are infected by the B variant were programmed to begin sending HTTP GET requests to the Microsoft site yesterday — and to keep flooding the site until March 1st.
Besides having fewer infected machines involved in the attack, Microsoft also caught a break as a result of faulty code. A flaw in the programming of the B variant prevents the attack from beginning 93 percent of the time.
Like MyDoom.A, the B variant is also directed at The SCO Group’s Web site, which began to be flooded late Saturday. Because MyDoom.A, the first variant, was more pervasive, SCO was forced to shut down its site until Feb. 12th, when the DDoS attack is due to end. An alternate site was created so that attacking computers would not have a target.
As the Worm Turns
Hypponen noted that further damage from MyDoom is not expected. “It’s a simple overload-the-Web-site attack, so it should have very little effect on the rest of the Net,” he said. “This is simply an extreme case of slashdotting, where a site suddenly gets its traffic increased massively.”
Although the Internet may not be directly affected by MyDoom after its expected halt on March 1st, the worm will remain uppermost in the minds of those who focus on Web security.
“This is the single biggest DDoS attack ever,” Hypponen said. “That’s making people think.”
Despite having an understanding of how malware spreads, many security experts seemed surprised by MyDoom’s virulence. Symantec spokesperson Mark Perry told the E-Commerce Times that there will be much more interest in preventing attacks from this point onward.
“Individuals and companies are going to be thinking about how to minimize vulnerabilities,” he said. “This is something that definitely needs to start happening now, before the next one hits.”