January 26, 2004.
A whale explodes in the town of Tainan, Taiwan.
A buildup of gas in the decomposing sperm whale is suspected to have caused the explosion.
President Hamid Karzai signs the new constitution of Afghanistan.
Afghanistan. Fred Haas, an American golfer, died at the age of 88. The song Hey Ya by OutKast was
number one on the American music charts. And the My Doom computer worm started to spread
and saturate networks around the world on this episode of In the Shell.
Does this close a national security pattern?
Are being used without the operator's knowledge?
And if it sounds malicious, it's because it is.
40 attacks just this year on educational organizations.
And now to the massive cyber attack targeting hotels and casinos in Las Vegas.
To a possible cyber attack at one of the nation's busiest airports.
A cyber security firm, CrowdStrike, has caused this outage.
That it takes you longer to do something by putting it into a computer and calling it up again
than if you just kept simple records yourself in the house.
It was 8 a.m. on a Monday morning, and people in North America were grabbing their freshly
brewed cup of pre-ground Folgers coffee. Computers were slowly booting up after being powered
off for the weekend, and CRT monitors began to hum to life.
This is when the first sign of My Doom, also known as Novarg, was spotted.
The first sign of My Doom was traced back to an email originating from Russia.
After that, it started spreading like wildfire.
Like many of the worms I previously discussed, this one infected users over email.
Approximately four hours later, the worm's rapid spread slowed the overall internet by
about 10%, and the average load times of webpages by approximately 50%.
This worm was saturating the internet.
The slowdown only lasted a few hours, but you can imagine the disruption it caused to
individuals and businesses.
The computer security companies estimated that approximately 1 in 10 emails at the time
were from the worm.
And why was this all happening?
The worm was scheduled to launch a DDoS attack, distributed denial of service, against SCO Group's
website, www.sco.com.
SCO Group, which went out of business in 2012 after filing for Chapter 7 Liquidation, was
located in Linden, Utah, and was at the center of a bit of controversy involving a penguin.
The penguin I'm referring to is Linux.
Linden-based software company SCO, or SCO, is a lightning rod of controversy in the computer
world today.
At the time, SCO Group was involved in a highly controversial lawsuit against companies using
the Linux operating system.
If SCO loses this case, software becomes free.
There's going to be a downward spiral.
SCO claimed ownership over parts of the Unix code and alleged that portions of its intellectual
property were used in Linux without permission.
SCO claims ownership of Unix, an operating system used to run small to huge businesses.
SCO says its client, IBM, has placed Unix code into the Linux operating system.
Linux is free, easy to modify and distribute, and is taking off worldwide.
SCO says it cannot compete against a free product that relies on its own trade secrets.
As you can imagine, this sparked outrage within the open source and tech communities, many
of whom saw the lawsuit as an attack on Linux and the open source movement.
This summer, free software advocates picketed SCO.
They're fired up over a fundamental fracture in cyberspace.
Free software versus intellectual property.
So when SCO Group's website went offline in the first few hours of MyDoom's spread, it
seemed like they were one of the targets of this worm.
However, this initial outage was never attributed to MyDoom, even though they would be targeted
by it later.
SCO Group claimed...
They had been the target of several DDoS attacks in the past year, unrelated to the worm.
Gee, I wonder why.
The attacks on SCO escalated to internet trash talk, hate mail, even death threats.
This thing would not be as big of a deal as it is if we didn't have a case.
So instead of waiting for a judgment where they feel they might lose,
they're trying to shut us down in the short term with all of these cyber attacks or personal attacks.
After some analysis of the worm, it was determined that it was programmed to DDoS SCO Group's website on February 1st.
So the next day, SCO Group offered a $250,000 reward, equivalent to $425,000 in 2024,
for information leading to the arrest of the worm's creator.
On January 28th, two days after the original discovery of the worm,
a new variant was found. The naming convention was very creative. The new variant was called
mydoom.b. Similar to the original variant, the first message from variant B also originated from
Russia. The new version included the instructions for the original DDoS attack against SCO Group,
along with an identical attack aimed at www.microsoft.com, which was scheduled to begin
on the 3rd of February. At the time, both attacks were suspected to be broken and non-functional
decoy code intended to conceal the backdoor function of mydoom. Now before we move on,
I want to talk about some interesting things the B variant did. Mydoom borrowed its spreading
tactics from the I Love You Worm and the Code Red Worm in that it spread to everyone in the
user's email address book.
It also chose its subjects from a predefined list, which included test, hi, hello, and a mail delivery system, to disguise itself as a message from the mail server, along with a predefined body like mail transaction failed, partial messages available, or the message contains Unicode characters and has been sent as a binary attachment.
The attachment would have the name, again selected from a predefined list, such as document, readme, doc, message, and an extension like .pif, scr, exe, cmd, or .bat.
It would also sometimes apply multiple extensions to the attachment, so you would see something like document.scr.pif, all in an attempt to get the user to open the attached file that contained the worm.
But my doom did.
two things differently. From the list of harvested emails, the worm would also send emails to generic
names for the domains it discovered. So if the original email was ilovedogs at yourcompany.com,
it would also send emails to john at yourcompany.com or robert at yourcompany.com.
In addition, in an attempt to avoid spam filters, it would not send any emails to addresses that
typically had shared inboxes. So if it found any addresses that started with service, help, or
support, along with others, it would not send the worm to these addresses. Besides spreading through
email, similar to the Fizzer worm, MyDoom also spread using the peer-to-peer file sharing app
Kazaa. It used a predefined list of names like Nessus Scan underscore Pro, Winamp 5, and MS04-01 underscore
Hotfix.
Now that I think about it, I'm pretty sure I downloaded one of those before.
Now when the user executed the file, it opened up Notepad on Windows, but instead of showing
any real information, it just filled the Notepad window with meaningless garbage data.
It also created a mutex with the name S-Web-S-I-P-C-S-M-T-X-S-O. A mutex, which stands for
mutual exclusion, ensures that only one instance of a process can run at any time.
It also added a registry key to ensure the worm would always run its startup.
It then dropped another file called shimgapi.dll.
A DLL file, which stands for Dynamic Link Library, is a file format used in Windows operating systems
that contains code, data, and resources that can be used by multiple programs simultaneously.
This file sequentially opened TCP ports from 3127 to 3198 using the first one that was
available to listen for incoming connections. The infected machine could then be used as a
TCP proxy allowing the malicious actor to proxy their traffic through the user's infected machine.
They could also upload and execute arbitrary executables on the infected computer.
It's also worth noting that in order to obfuscate the worm's executable,
it used a couple of tactics. First, it used UPX packing. UPX stands for Ultimate Packer for
Executables. This made the executable file smaller by compressing it, which helped evade detection by
some antivirus software. The code then decompresses itself when the executable is run. In addition,
to further obfuscate the code and avoid detection,
Hection. It used the substitution cipher ROT13. This is where each letter in a string is replaced
by the letter 13 positions ahead in the alphabet. So for example, A would become N and B would become
O. It's a pretty basic method, but it does make the code harder to immediately recognize and
detect, even though it's easily reversible. Speaking of the Worms code, there was also a
cryptic message embedded in the Worms payload that said, Andy, I'm just doing my job. Nothing
personal. Sorry. This led some experts to believe that my doom was created by a third-party contractor
who was, ethics aside, just doing their job. Just doing their job. I feel like we've all heard that
excuse before. Now this is where Variant B gets creative. It made changes to the infected computer's
hosts file.
Normally when you type a website in your browser, your computer sends a DNS query to find the IP
address for that domain. But the host file is a local file on your computer that lets you manually
map domain names to IP addresses. For example, if you added brave.com to your host file with a
random IP address, your computer would use that random IP address instead of performing a DNS
lookup so you'd be redirected or the site wouldn't load properly. What variant B did was it added
domains for antivirus companies like Sophos.com, Symantec.com, and McAfee.com to the host file
and mapped them to the IP address 0.0.0.0, which is not routable, essentially making those sites
unreachable. So even if you had antivirus software installed, your computer wouldn't be able to
connect to those sites to update its virus definitions.
leaving your system vulnerable and infected. It also blocked domains associated with the
pop-up advertisements provided by DoubleClick, this was before Google bought them, and other
online marketing companies. I guess you could say it was one of the first versions of an ad blocker,
so in a way it did some good. Now back to January 28th, that was when Variant B was discovered.
By January 29th, the spread of MyDoom began to decline as bugs in Variant B's code prevented it
from spreading as rapidly as first anticipated. This is the downside of testing your code in
production. It was at this time that Microsoft also offered a reward of $250,000 for information
leading to the arrest of its creator, meaning the reward was now up to $500,000 or $850,000 adjusted
for inflation.
when Variant B's DDoS attack against Microsoft.com was scheduled to begin.
Unlike SCO Group, Microsoft was ready.
They set up information.microsoft.com so that users could be redirected
if the main www.microsoft.com site was affected.
But after all the preparation, the main site experienced intermittent slowdowns,
but remained up and Microsoft servers were able to handle the attack.
Nine days later, on February 12th, the original MyDoom was programmed to stop spreading,
but the back door would remain open.
Fast forward to March 1st, this is when MyDoom Variant B was programmed to stop spreading,
but again, like the original, the back door remained open.
A few months later, on July 26th, is when things get interesting again.
A variant of the MyDoom worm
Now, let's look at that showroom and talk for a moment of an open meeting.
Thank you.
mydoom.o launched an attack that heavily affected major search engines
including Google, AltaVista, and Lycos. The worm exploited these search engines by sending
automated queries to search for email addresses, using infected computers to flood the sites.
This led to a denial of service for the search engines. For Google, the attack caused significant
disruptions, leaving many users unable to access the search engine for around three hours.
Despite this, Google downplayed the severity of the attack, surprise surprise, stating that the
website was not significantly impaired and that services were quickly restored. AltaVista and
Lycos also suffered noticeable slowdowns that lasted for several hours, although the impact on Google
was the most widely used.
reported due to its prominence and timing. It occurred just as Google was preparing to file
its initial public offering, IPO, in August. Other variants surfaced over the years,
with MyDoom eventually resurfacing in 2009 and cyberattacks affecting South Korea and the United
States. All that being said, MyDoom was a wild ride, and its use of the host file to block
antivirus companies was extremely creative. Between the DDoS attacks and the cost to recover
systems, it caused an estimated $40 billion in damage globally. And yet, even after all that,
and the combined $500,000 reward, the original author of The Worm remains unknown to this day.
In the Shell is written, researched, and recorded by me, The Worm Watcher. If you've made it this far,
you either walked away and forgot the episode was playing or you enjoyed it if it's the latter then
I have a small request please click the share button wherever you're listening and send this
episode to someone you think would like to hear about worms I would truly appreciate it that's
it take care and I'll see you next time