MyDoom Attack On Microsoft Falters

Microsoft dodged the denial-of-service bullet fired by the Mydoom.b worm Tuesday, due in equal parts, said an analyst, to a hacker's clumsy programming and the slow spread of the variant.

February 4, 2004

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Microsoft dodged the denial-of-service bullet fired by the Mydoom.b worm Tuesday, due in equal parts, said an analyst, to a hacker's clumsy programming and the slow spread of the variant.

Unlike The SCO Group's Web site -- which was brought down by the original Mydoom worm, dubbed Mydoom.a -- Microsoft's site remains up and running. SCO removed its original site from the Internet's global directory over the weekend, and has offered up a new URL -- www.thescogroup.com -- as a replacement.

One web monitoring firm noted that Microsoft's primary site of www.microsoft.com, which was the second denial-of-service (DoS) target of the Mydoom.b worm, was actually performing better Tuesday than the day before. (Mydoom.b was coded to initiate its DoS attack on Microsoft.com as of 8:19 a.m. (EST) Tuesday.)

While Microsoft.com is experiencing some degradation in performance today -- 10 to 20 percent slower compared to the last two Tuesdays -- it's performing significantly better than yesterday, according to Ken Godskind, vice president with AlertSite, when many users may have been accessing the site to retrieve a newly-posted update to Internet Explorer.

At 1 p.m. (EST) Tuesday, for example, Microsoft.com's performance was up 25 percent over Monday's, said Godskind."From an availability standpoint, Microsoft has been completely unaffected by Mydoom," he said. "I suspect that Microsoft has done a good job of defending its sites and servers."

The fact that Microsoft's site wasn't affected didn't take security analysts by surprise. By late last week, many of the security experts monitoring Mydoom.b were saying that the variant wouldn't drag down Microsoft's site.

Mydoom.b, and its precursor, Mydoom.a, both used infected machines to conduct DoS attacks against sites. The worms forced compromised systems to bombard the home pages of SCO and Microsoft in the hopes of overloading their servers and making the URLs inaccessible.

The reason Microsoft escaped SCO's fate, said Jimmy Kuo, a McAfee fellow at Network Associates, and the founder of that company's AVERT security team, comes from a combination of the small numbers of Mydoom.b-infected systems and a programming gaffe in the worm's code.

"By yesterday, the count of Mydoom.b samples submitted to us was only in the teens," said Kuo, "and for two days last week, we saw none. It's just not spreading."A worm must reach an infection threshold to successfully conduct a DoS attack, said Kuo, and Mydoom.b just didn't make it. "If a worm's not managed to get out there, to reach that magic threshold, it's very, very difficult for it to spread."

According to Network Associates' estimates, only about 10,000 machines worldwide have been infected with the Mydoom.b worm. Compare that to the 500,000 machines infected with the original Mydoom.a, which didn't target Microsoft.com, and it's easy to see why the Redmond, Wash.-based developer's Web sites remained up and running.

But numbers don't tell the whole story, said Kuo.

Both Mydoom.a and Mydoom.b have a programming error that limits the number of infected machines which will conduct the DoS attacks at the same time.

Only about seven percent of the Mydoom.b-compromised computers actually attack Microsoft.com simultaneously, according to Network Associates' analysis, said Kuo. (Mydoom.a also sports the same bug, but in its case, about 25 percent of the infected machines are able to attack The SCO Group's site at the same time.)"With less than 10,000 machines infected [by Mydoom.b], there are fewer than 1,000 computers attacking Microsoft.com at the same time," said Kuo. "In other words, there are more people going to the site to download the latest IE update than there are machines attacking."

The bug is yet another clue that the two worms were written by the same hacker, said Kuo. "We've always thought that one person wrote both," he said. "Each variant was signed for purposes for code backup; both included the name 'andy.'"

Microsoft would not go into details on what steps it had taken to deflect the Mydoom.b DoS attack, but "Microsoft's Web properties remain fully available to customers," a spokesperson said.

"While we are unable to discuss the specific remedies we took to prevent the DoS attack, we did make it a priority to ensure that sites, such as Windows Update, remained fully available," she said.

Besides running DoS attacks, Mydoom.b blocked access to a slew of anti-virus, security, and update sites, including Windows Update and Office Update. On Tuesday, Microsoft launched an alternate site that contains links to work-arounds users can apply to reach these blocked URLs.0

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights