Table of Contents
Introduction
Chain letters have been around for more than 150 years. Evolving from snail-mail to email, chain letters have been used for altruistic purposes, but more typically the motives are self-serving or nefarious. In these instances, recipients are asked to pass on a message to a certain number of their contacts, sometimes under the threat of dire consequences.
So, what do chain letters have to do with viruses and DDoS attacks? As it turns out, one of the most notorious cyber threats in history, the MyDoom virus, was based on the concept of chain letters – but with an important twist. The recipients were unaware that their address book was being hijacked to spread the virus to their contacts.
In this blog, we’ll discuss the mechanics of the MyDoom virus, its impact and spread, and its lingering effects. We’ll also share lessons on how to protect against this cyber threat that served as an early example of threat actors creating botnets to execute powerful DDoS attacks.
History of the MyDoom Virus
On the morning of January 26, 2004, computer users around the world were introduced to the MyDoom virus. The mysterious email came with an attachment and a brief message that seemed legitimate and encouraged them to open it. Every time they opened their inbox they received another copy. Some users had a feeling that the message wasn’t to be trusted and didn’t click on the attachment. But these were early days for cybersecurity and user education on phishing emails and viruses was limited. Many recipients unwittingly opened the attachment with cascading effects; the attack spread causing widespread disruption and financial losses.
The computers of those who fell for the ruse ended up becoming part of a series of DDoS botnets that eventually included a total of more than 50 million computers – the first 500,000 recruited in just one week. The scheme was devised to target a handful of large technology companies with DDoS attacks and is estimated, ultimately, to have caused $38 billion or more in damage.
Initially, the MyDoom virus targeted two companies. MyDoom.A was used to target the SCO Group. When the company’s website crashed and the attack persisted for more than an hour, the company changed website addresses altogether. The attackers then used MyDoom.B to target Microsoft and popular anti-virus sites, preventing victims from downloading tools to help with cleanup. Microsoft’s defenses were able to withstand the attack, but many computers were turned into bots in the process.
The spread of MyDoom continued and over time additional variants have been discovered (including C, F, G, H, U, V, W, and X). Attacks continued to target technology companies with varying degrees of success.
The creator of MyDoom has never been identified.
How does MyDoom work?
MyDoom was designed exclusively for Windows environments so other operating systems were not impacted. Windows users may have had little indication that opening the attachment resulted in infecting their computer with malware. Their computer performance may have slowed down or been a little glitchy, but they were still able to get their tasks done.
Here’s where the connection between MyDoom and chain letters comes in. Code working within the Windows environment allowed the worm to spread and gain access to the user’s contacts.
MyDoom worm
Specifically, the MyDoom worm would:
Download onto a user’s computer. A user receives an email and clicks on the attachment which downloads the MyDoom worm. The attacker is now able to control the computer remotely, effectively turning it into a bot.
Recruit bots. The code moves laterally, looking for the user’s contacts. Every address in the user’s contact list is sent an email with an attachment that includes the MyDoom worm. If recipients click on the link, their computers also become part of the botnet.
Launch a DDoS attack. On a set date the bots, which are now grouped into a botnet, are used to launch a coordinated DDoS attack on the target’s website.
Maintain a foothold. The attackers leave a back door open on the user’s computer in case they want to enter again. The code remains active, ready to execute nefarious activity in the future at the threat actor’s request.
Impact of MyDoom virus on individual computers
Unless the code has been completely removed, computers that have been infected with MyDoom could be hijacked for another DDoS attack. If this happens, you might notice:
Sluggish performance. Opening, closing, saving, or working in Windows files could take longer than usual.
External questions. If your computer starts sending messages to people in your address book, you could start getting questions from your contacts about random, mysterious emails appearing to come from you that you had no idea were being sent.
Internal indicators. Your IT department may start to ask you why suddenly you need so much more bandwidth to get your work done.
Response and Mitigation
To defend against MyDoom and other viruses as well as DDoS attacks, organizations should use a layered approach to defenses that consists of technology and best practices, including:
Antivirus software and IDS: Solutions designed to identify and block malicious files and activities can prevent the initial infiltration of worms like MyDoom and others. Keep these tools updated to ensure they can detect and help protect against the latest threats.
Email security solutions: Filtering incoming emails for suspicious attachment and links can stop attempts to spread malware. Having a solution that enables users to tag and report emails as suspicious raises their awareness about the problem and gets them engaged in the frontline defense.
Regular system updates: Install patches for vulnerabilities as soon as they are released by your software and network device vendor. Prioritizing those patches that malware and viruses like MyDoom are known to exploit helps minimize the risk of unauthorized access and system compromise.
User education: Educate employees on the dangers of worms and DDoS attacks and how to avoid becoming infected by not clicking on suspicious links or attachments in emails from unknown sources. General cyber hygiene practices, including using strong passwords and multi-factor authentication, create barriers for threat actors attempting to gain access to sensitive data and systems.
Incident response planning: Develop a detailed plan for how to respond in the event of an incident including steps to contain and mitigate threats, key stakeholders, and specific roles and responsibilities. Timely and coordinated action can minimize the impact and accelerate recovery. Revisit the plan on a regular basis to validate and update as needed.
DDoS protection: The most comprehensive way to mitigate DDoS attacks, including DDoS botnet attacks such as those generated by MyDoom, is with a DDoS protection platform. Advanced solutions will block attacks and protect against follow-on threats including data leakage, ransom attacks, and other threats to your operations while allowing legitimate traffic to go through. This allows organizations to maintain uninterrupted service availability even in the midst of a DDoS attack.
DDoS threat intelligence: By continuously monitoring and analyzing global threat data, DDoS intelligence services offer insights into emerging attack vectors, tactics, and trends. This enables organizations to strengthen their defense by proactively implementing countermeasures that address specific vulnerabilities and threats.
Final thoughts on the enduring impact of the MyDoom virus
The attacks launched by MyDoom are part of our storied history of famous DDoS attacks. No other virus spread as quickly, created as much financial damage, and had such an enduring impact. Some computers still have back doors, and MyDoom opened the floodgates to subsequent attacks. There are plenty of lessons learned by observing the work of these pioneering threat actors that attackers continue to use.
Fortunately, there a multiple best practices and technologies to help defend against viruses like MyDoom and the ensuing DDoS attacks. These include antivirus software and IDS, email security solutions, regular system updates, user education, incident response planning, advanced DDoS protection, and DDoS intelligence.
DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a DDoS attack and can also protect you from the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.
