The newest version of the MyDoom worm now circulating suggests to security experts that the much-anticipated "Zero Day attack" may have arrived.
Zero Day refers to an exploit, either a worm or a virus, that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. This new MyDoom appeared only two days after a security flaw in Windows IE was made public by two hackers, according to reports.
What's different about this version is that instead of attaching itself to an e-mail as an executable program, it appears as a Web link within the text of an e-mail message. Clicking on the link will direct a person's browser to another Web site that will exploit an IFrames vulnerability in IE and thereby infect that person's machine.
"Up until today, every worm that came out had a fix, and that fix was out there for some time," said Stuart McClure, president and CTO of Foundstone Strategic Security in Mission Viejo, California.
Pace Picking Up
McClure suggests it will only be a short time before a worm or virus appears exploiting an unknown vulnerability and there will be no mechanism to fix it in place. This time difference between knowledge of security vulnerabilities and creation of exploits to take advantage of those flaws has been shrinking for some time. Two years ago, that time difference was somewhere between four to six weeks.
"For the first six months of this year, (that time difference) was about 5.8 business days, and in this most recent case it was just two days," said Alfred Huger, senior director of engineering with Symantec in Calgary. "The problem is that it is extremely difficult for a vendor to put out a patch in that short of a time."
Carol Terentiak, security strategy and response manager with Microsoft Canada in Mississauga, Ontario, says this version of MyDoom suggests virus and worm writers are becoming more sophisticated, that hackers are going beyond merely tweaking existing virus code and doing more sophisticated work by first prying apart and looking for problems in the systems they may want to compromise.
Timed Attack?
There was some suggestion that the release of the virus was timed to disrupt Microsoft's monthly security bulletins. Each month, Microsoft releases a security bulletin that provides customers with information about security issues, exploits, and fixes that are available. The timing of this MyDoom variant suggested to some that its author may have hoped to trip up the bulletin by showing it to be inadequate in providing up-to-date security information and fixes to Microsoft customers.
Terentiak says she is not aware of that being the case. She adds Microsoft users who have installed Service Pack 2 for Windows XP were already at a reduced risk of having problems with this virus. Service Pack 2 comes with built-in protections against the kinds of exploits that MyDoom tries to perpetrate on a machine. Still, Microsoft is working on a separate patch for the vulnerability in IE.
Terentiak advises people who are worried to consult either Microsoft's Protect Your PC page or the Trustworthy Computing Security page for more information.
Ad Choices