MyDoom Continues to Persist into 2020


MyDoom still holds the world record for fastest-spreading email worm of all time. It was first discovered in January 2004 and remains active today in 2020. Few threats possess the effectiveness and longevity of MyDoom.

MyDoom is also cited as the world’s most costly cyber attack in history. The malware has caused an estimated $38 billion (£31bn) in damage over its lifespan.

The initial version of MyDoom was programmed to launch a distributed denial-of-service (DDoS) attack against a site for the SCO Group, which had filed an intellectual property suit against IBM over its alleged use of Linux code. The attack was programmed to launch 1 February, 2004 and end 12 February, sending a request to the website every millisecond.

After the worm ended its DDoS attacks, the backdoor left by the worm would still be active. It meant future malware and threat actors can manipulate the infected machines that were never cleaned. 

The authors of the initial worm were never found or caught. However, a second version of MyDoom suddenly appeared in mid-2009 and began DDoSing websites belonging to the White House, Department of Homeland Security, U.S. Secret Service, National Security Agency, Federal Trade Commission, Department of Defense and the State Department. The New York Stock Exchange and NASDAQ were also hit by DDoS attacks over the July 4th holiday weekend.

After the attacks on multiple US government websites, at least 11 sites in South Korea, including sites for the Ministry of Defense and the presidential Blue House, were also targeted, leading the Associated Press to publish a story prominently quoting anonymous South Korean intelligence officials blaming the attacks on North Korea.

This second variant of MyDoom also hit tech companies hard, with DDoS attacks affecting Google, Microsoft, AltaVista and Lycos. Security experts claim that the whole internet, at the time, was slowed down by up to 10% from the sheer amount of traffic MyDoom-infected devices were emitting. In 2004, roughly somewhere between 16-25% of all emails had been infected by MyDoom. 

Also known as the Norvag virus, and as a variant of the MiMail virus, MyDoom’s method of propagation is through email using SMTP. It’s a polymorphic worm and tends to have different file hashes for each of the emails, bypassing the traditional signature-based detection systems at the time.

Palo Alto Network’s Unit 42 continues to record tens of thousands of MyDoom samples every month. The vast majority of MyDoom emails come from IP addresses registered in China, with the United States running a distant second. The spambots are mostly targeting high tech, wholesale, retail, healthcare, education, and manufacturing industries across the world.
Emails distributing MyDoom are generally disguised as reports that an email was not delivered, with subject lines such as:

  • Delivery failed
  • Delivery reports about your email
  • Mail System Error – Returned Mail
  • MESSAGE COULD NOT BE DELIVERED
  • RETURNED MAIL: DATA FORMAT ERROR
  • Returned mail: see transcript for details

Attachments from these MyDoom emails are mainly ZIP archives that contain executable files, but they can also be attached as just an .exe file or .scr, and .pif too. The MyDoom worm turns an infected Windows host into a malicious spambot, which then sends MyDoom emails to various email addresses. This will happen even if the infected Windows host does not have a mail client. Another characteristic of MyDoom is attempted connections to various IP addresses over TCP port 1042. This is because MyDoom also opens a backdoor on port 1042. MyDoom tries to connect to port 1042 when reaching out to random IP addresses and if an open port is found, the malware knows it has likely located another infected host. 

MyDoom possesses extensive email harvesting capabilities. It queries registry key HKCU\Software\Microsoft\WAB\WAB4\Wab File Name to obtain email addresses from the Windows Address Book. The worm also enumerates the file system looking for email addresses stored on the machine.

Analysis: 

With statistics like MyDoom, it is not a surprise that this malware became one of the most costly cyber attacks in history, although the source of the estimated damages ($38 billion) is not quite clear. However, it seems to be an accurate suggestion due to the types of websites that were affected and the overall impact it had on the rest of the internet. Any business that was conducted online, worldwide, was massively interrupted by the events in February 2004 and July 2009.

Other momentous cyber attacks include other recent ransomware worms such as WannaCry and NotPetya. WannaCry losses reportedly equalled a total of $4 billion, whereas the more advanced NotPetya managed to cause $10 billion in damages. Both ransomware worms were linked to nation state attackers, WannaCry to North Korea and NotPetya to Russia. 

Further investigation into MyDoom points towards North Korea being behind the 4th July attacks in 2009. This was more than likely at the hands of Lazarus Group, the DPRK’s very own cyberarmy. 

MyDoom still persists into 2020, many Windows machines are still infected from and continue to act as spambots. It is unlikely nowadays that the DDoS attacks from these devices are able to take down any of the original targets from the previous campaigns with SCO Group going out of business and the US government’s sites having DDoS mitigation services like Akamai or CloudFlare. However, the main threat MyDoom still presents today is that threat actors can enter the backdoors that MyDoom left open and launch further attacks of their own. 

Video by Danooct1 demonstrating MyDoom:


I visited Malware Traffic and found some examples of MyDoom emails:

MyDoom backdoor Traffic (Port 1042):

MyDoom Spambot Traffic (SMTP):

Indicators of Compromise (IOC):

MyDoom EXE Samples from July 2019:

  • 1b46afe1779e897e6b9f3714e9276ccb7a4cef6865eb6a4172f0dd1ce1a46b42
  • 48cf912217c1b5ef59063c7bdb93b54b9a91bb6920b63a461f8ac7fcff43e205
  • 50dfd9af6953fd1eba41ee694fe26782ad4c2d2294030af2d48efcbcbfe09e11
  • 6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596
  • 9e4c6410ab9eda9a3d3cbf23c58215f3bc8d3e66ad55e40b4e30eb785e191bf8

MyDoom EXE Samples from April 2020:

  • 4b3c4d1b27ffe329b01522c7e733b59a6dc74c175863eaa9f44e23134dbf226e 
  • c74c90605ae3a3c35f5437d1f44638af4b5ac64818877d6f0b90cc37a400b171
  • c8c4efb9090a267bf275be43130b206abec4b47251fa4938a8256f8341ac35e3
  • ea0bf6d2eef76c1047c374fa54ff63b458cfe52f5bb1bb955a85c6abcace9b5d
https://otx.alienvault.com/pulse/5e9035f452271f91cf387763

References:

https://unit42.paloaltonetworks.com/mydoom-still-active-in-2019
https://threatvector.cylance.com/en_us/home/cylance-vs-mydoom-email-worm.html
https://www.malware-traffic-analysis.net/2019/07/15/index.html

http://www.taipeitimes.com/News/worldbiz/archives/2004/01/29/2003096671

https://archive.org/details/g4tv.com-video25506
https://www.wired.com/2009/07/mydoom
https://www.theguardian.com/technology/2009/jul/08/cyber-war-mydoom-virus-attack
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world