

MyDoom still holds the world record for fastest-spreading email worm of all time. It was first discovered in January 2004 and remains active today in 2020. Few threats possess the effectiveness and longevity of MyDoom.





MyDoom is also cited as the world’s most costly cyber attack in history. The malware has caused an estimated $38 billion (£31bn) in damage over its lifespan.

The initial version of MyDoom was programmed to launch a distributed denial-of-service (DDoS) attack against a site for the SCO Group, which had filed an intellectual property suit against IBM over its alleged use of Linux code. The attack was programmed to launch 1 February, 2004 and end 12 February, sending a request to the website every millisecond.

After the worm ended its DDoS attacks, the backdoor left by the worm would still be active. It meant future malware and threat actors can manipulate the infected machines that were never cleaned.

The authors of the initial worm were never found or caught. However, a second version of MyDoom suddenly appeared in mid-2009 and began DDoSing websites belonging to the White House, Department of Homeland Security, U.S. Secret Service, National Security Agency, Federal Trade Commission, Department of Defense and the State Department. The New York Stock Exchange and NASDAQ were also hit by DDoS attacks over the July 4th holiday weekend.

After the attacks on multiple US government websites, at least 11 sites in South Korea, including sites for the Ministry of Defense and the presidential Blue House, were also targeted, leading the Associated Press to publish a story prominently quoting anonymous South Korean intelligence officials blaming the attacks on North Korea.

This second variant of MyDoom also hit tech companies hard, with DDoS attacks affecting Google, Microsoft, AltaVista and Lycos. Security experts claim that the whole internet, at the time, was slowed down by up to 10% from the sheer amount of traffic MyDoom-infected devices were emitting. In 2004, roughly somewhere between 16-25% of all emails had been infected by MyDoom.

Also known as the Norvag virus , and as a variant of the MiMail virus MyDoom’s method of propagation is through email using SMTP. It’s a polymorphic worm and tends to have different file hashes for each of the emails, bypassing the traditional signature-based detection systems at the time.

Palo Alto Network's Unit 42 continues to record tens of thousands of MyDoom samples every month. The vast majority of MyDoom emails come from IP addresses registered in China, with the United States running a distant second. The spambots are mostly targeting high tech, wholesale, retail, healthcare, education, and manufacturing industries across the world.





Emails distributing MyDoom are generally disguised as reports that an email was not delivered, with subject lines such as:

Delivery failed

Delivery reports about your email

Mail System Error – Returned Mail

MESSAGE COULD NOT BE DELIVERED

RETURNED MAIL: DATA FORMAT ERROR

Returned mail: see transcript for details

Attachments from these MyDoom emails are mainly ZIP archives that contain executable files, but they can also be attached as just an .exe file or .scr, and .pif too. The MyDoom worm turns an infected Windows host into a malicious spambot, which then sends MyDoom emails to various email addresses. This will happen even if the infected Windows host does not have a mail client. Another characteristic of MyDoom is attempted connections to various IP addresses over TCP port 1042. This is because MyDoom also opens a backdoor on port 1042. MyDoom tries to connect to port 1042 when reaching out to random IP addresses and if an open port is found, the malware knows it has likely located another infected host.

MyDoom possesses extensive email harvesting capabilities. It queries registry key HKCU\Software\Microsoft\WAB\WAB4\Wab File Name to obtain email addresses from the Windows Address Book. The worm also enumerates the file system looking for email addresses stored on the machine.

Analysis:

With statistics like MyDoom, it is not a surprise that this malware became one of the most costly cyber attacks in history, although the source of the estimated damages ($38 billion) is not quite clear. However, it seems to be an accurate suggestion due to the types of websites that were affected and the overall impact it had on the rest of the internet. Any business that was conducted online, worldwide, was massively interrupted by the events in February 2004 and July 2009.

Other momentous cyber attacks include other recent ransomware worms such as WannaCry and NotPetya. WannaCry losses reportedly equalled a total of $4 billion, whereas the more advanced NotPetya managed to cause $10 billion in damages. Both ransomware worms were linked to nation state attackers, WannaCry to North Korea and NotPetya to Russia.

Further investigation into MyDoom points towards North Korea being behind the 4th July attacks in 2009. This was more than likely at the hands of Lazarus Group, the DPRK’s very own cyberarmy.

MyDoom still persists into 2020, many Windows machines are still infected from and continue to act as spambots. It is unlikely nowadays that the DDoS attacks from these devices are able to take down any of the original targets from the previous campaigns with SCO Group going out of business and the US government's sites having DDoS mitigation services like Akamai or CloudFlare. However, the main threat MyDoom still presents today is that threat actors can enter the backdoors that MyDoom left open and launch further attacks of their own.

Video by Danooct1 demonstrating MyDoom:







I visited Malware Traffic and found some examples of MyDoom emails:









MyDoom backdoor Traffic (Port 1042):









MyDoom Spambot Traffic (SMTP):

Indicators of Compromise (IOC):





MyDoom EXE Samples from July 2019:

1b46afe1779e897e6b9f3714e9276ccb7a4cef6865eb6a4172f0dd1ce1a46b42

48cf912217c1b5ef59063c7bdb93b54b9a91bb6920b63a461f8ac7fcff43e205

50dfd9af6953fd1eba41ee694fe26782ad4c2d2294030af2d48efcbcbfe09e11

6a9c46d96f001a1a3cc47d166d6c0aabc26a5cf25610cef51d2b834526c6b596

9e4c6410ab9eda9a3d3cbf23c58215f3bc8d3e66ad55e40b4e30eb785e191bf8

MyDoom EXE Samples from April 2020:

4b3c4d1b27ffe329b01522c7e733b59a6dc74c175863eaa9f44e23134dbf226e

c74c90605ae3a3c35f5437d1f44638af4b5ac64818877d6f0b90cc37a400b171

c8c4efb9090a267bf275be43130b206abec4b47251fa4938a8256f8341ac35e3

ea0bf6d2eef76c1047c374fa54ff63b458cfe52f5bb1bb955a85c6abcace9b5d

References:



