New Attack Follows Mydoom

A new attack against Mydoom-infected machines has been identified by security specialists Mi2g.

This attack "has been designed to make money and definitely appears to be the handiwork of organized crime," mi2g warns.

A new malware called Deadhat has appeared. Mydoom-A and Mydoom-B-infected machines are being colonized by Deadhat, which has "some sinister cryptographic features", the analysts warn. Deadhat is coming ever closer to a Distributed Intelligent Malware Agent.

"On the face of it, Deadhat appears to be relatively useless but it has a darker side: it is the type of distributed intelligent malware agent with crypto control that has been conceived for the perfect colonization of Mydoom-infected machines."

Spreading Itself

Deadhat does not spread through e-mail. Instead, it actively seeks to install itself through the backdoor opened by Mydoom-A and Mydoom-B infected machines by searching for their tell-tale open ports.

When it takes control of the infected machines it removes all traces of Mydoom and copies itself to the SoulSeek file-sharing system (if installed). In the process, the open ports of Mydoom are closed and Deadhat then opens a new TCP port and awaits further instructions which must be authenticated with a cryptographic key. If the authentication is successful, the backdoor accepts a file for upload and execution.

Deadhat's Internet Relay Chat component connects to a predetermined IRC server and listens on a specific channel for further commands. The backdoor supports different commands to download and execute specific programs on infected computers.

Mi2g executive chairman DK Matai warns: "After Deadhat has proliferated, the large army of Mydoom zombies will surrender control to Deadhat's perpetrators and nobody else.

"Post-Deadhat, any Web site could be held to ransom or infected machines could be used for spam campaigns and phishing scams without the owners' knowledge."