Sergiu Gatlan* says that one of the most damaging malware strains ever developed is still spreading its way through the internet.
Image: Gerd Altmann
The notorious Mydoom email worm, considered to be one of the most damaging malware strains ever developed, is still doing rounds on the Internet, working on autopilot and actively targeting email users all over the world.
Mydoom (also known as Novarg, Mimail, and Shimg) is a malware family known to be active since at least 2004, with worm capabilities designed to spread to other victims using a mass emailing approach, with some of its variants also capable of infecting targets through peer-to-peer networks.
After infecting a computer, the MyDoom worm opens a backdoor on TCP ports 3127 through 3198, thus enabling the attackers to remotely access the compromised systems, to distribute other malicious payloads, and, in the case of some variants, to launch denial of service (DoS) attacks.
As its main propagation method, the MyDoom worm collects email addresses from various files on the compromised systems and sends emails with an attached copy of itself to all the addresses it found.
According to a MyDoom in-depth analysis by The Cylance Threat Research Team:
- MyDoom holds the record for the fastest spreading email worm, which it achieved in 2004.
- MyDoom holds the record for the most costly virus, inflicting an impressive $38.5 billion in damages.
- At its apex, MyDoom generated 16–25 per cent of all emails sent worldwide.
MyDoom is still going strong as per reports coming from security researchers and vendors almost on a yearly basis, with tens of thousands of MyDoom-infected emails being detected every month.
“While not as prominent as other malware families, MyDoom has remained relatively consistent during the past few years, averaging approximately 1.1 per cent of all emails we see with malware attachments,” says Palo Alto Networks Unit 42’s Brad Duncan.
The thousands of malicious emails delivered by MyDoom all over the world each month target a wide range of industries, from high tech, wholesale, and retail to healthcare, education, and manufacturing.
Between 2015 and 2018, MyDoom was found within 1.1 per cent per cent of all malicious emails detected by security outfit Palo Alto Networks, reaching “an average of 21.4 per cent for all individual malware attachments seen through malicious emails”.
The difference in the number of MyDoom attachments and emails is caused by the polymorphic nature of this worm resulting in a higher amount of malware sample hashes, thus drastically increasing the number of detected samples.
During the first half of 2019, MyDoom saw a slight boost in the number of malware samples detected, as well as a boost in the number of malicious emails delivered to and from its victims.
Since the initial MyDoom infection in 2004, enough computers have been infected and continued infecting other machines throughout the years to help this malware stay active, although not as dangerous as it was in the beginning.
“Both China and the United States are the primary recipients of MyDoom emails, although the distribution remains global and targets many other countries,” concludes Duncan.
“High tech is the most frequently targeted industry.”
* Sergiu Gatlan is Security/Tech News Reporter at Bleeping Computer. He tweets at @serghei.
This article first appeared at www.bleepingcomputer.com.
