The virus, which has combined many old attack techniques into a successful package, was hardly blunted by antivirus programs during the first few hours of its exponential spread.
That's a problem, said Shlomo Touboul, chief executive of security software maker Finjan Software.
"The MyDoom attack should never have propagated so far into the Internet," he said. "It is obvious that we need another layer [of software] to protect during the first hours of attack."
Despite a deep understanding of how such viruses spread, security experts seem to be at a loss at how to stop them. Popular antivirus technology is generally ineffectual against many of the attacks until an update is downloaded by the user. Moreover, even though antivirus software is the most popular security technology in use -- about 99 percent of corporations use it, according to the Computer Security Institute -- many home users still don't use the software.
"Many people don't even have the software," said Bruce Schneier, chief technology officer for Counterpane Internet Security. "And for those that do, the first few hours of an epidemic is a race against time."
MyDoom spread through email a week ago, infecting a new computer every time an unwary user opened the attached filed containing the program. As many as 2 million computers may have been infected. The original virus was programmed to attack the SCO Group's Web site last Sunday, while a variant is scheduled to target Microsoft on Tuesday.
Email service provider MessageLabs has quarantined more than 17 million email messages in a week, said Alex Shipp, senior antivirus technologist for the company. From data captured early in the epidemic, MessageLabs says that for every Internet address with an infected PC behind it, eight emails are sent, on average, to one of the company's customers.
However, even though companies are still seeing massive quantities of email messages bearing the MyDoom virus, the spread has slowed, stressed Shipp.
"I don't think that there are going to be many more people who are left to get infected," he said. "It has gotten most of the available pool of [unwary] people to open it."
The rapid spread opens new questions about how users and companies should defend themselves against the next virus. New software may not be the solution, Counterpane's Schneier said. Instead, the balance between usability and security may have to be re-evaluated.
"It's a fundamental question," he said. "Is the ability to execute attachments from Outlook a feature or a bug? I think it is a bug."
Unless such threats are dealt with, many more computers connected to the Internet may be compromised. While MyDoom infects PCs and turns them into platforms from which to attack other PCs and to send spam, other attacks could be possible and even more devastating, said Paul Mockapetris, chairman and chief scientist for Internet technology firm Nominum.
"People should anticipate that [the attacker] is going to point these hacked PCs at other sites -- that's coming," he said. "What's going to be the security of all Web sites if those attacks get more prevalent?"
Already, SCO is feeling the pain. The company's Web site is the primary denial-of-service target of PCs infected with the original version of the MyDoom virus. At 8:09 (PST) on Sunday morning, infected PCs were programmed to deluge the site with data.
The attack, which effectively shuts down a site by flooding it with a deluge of information, is hard to stop, said Blake Stowell, a spokesman for SCO.
"You have to try and think creatively about how to solve the problem," he said. "Is it something that you have to throw money at it or to think creatively and come up with a technical solution?"
After trying to keep its site up, SCO took its address out of the domain-name system, the global yellow pages for the Internet. It's now referring people to a new Web site.
The same thing could happen to Microsoft's main Web site, starting on Tuesday. A second variant of the MyDoom virus, which has hasn't spread as far as the original, will begin sending data to the software giant's site. Microsoft would not comment on Monday on its defences, except to say that the company had prepared for the attack.
Other security experts believed Microsoft would fare better than SCO.
"It just goes to show what possibilities exist out there," said Vincent Gullotto, vice president of antivirus research for security company Network Associates. "When this was supposed to happen to Microsoft last year, I think they dealt with it in a more effective manner."
Talkback
The virus writer's rely on the preview facility in Outlook and Outlook Express to open the virus's on peoples computers automatically. This then installs the virus on their computer with out the user clicking on anything - so the advice not to open unexpected emails is a waste of time as for most user its already too late.
I always advise people to turn this feature off - why does not Microsoft if they are so concerned about the spread of viruses.
Has anybody nboticed how many email autoresponders were triggered by MyDoom?
Next months Spam Harvest should break all known records :(
I think it's unfair to lay the blame at the door of the anti-virus manufacturors. They have a very difficult job to do monitoring all the viruses that roam the internet. Apart from the cretins that make them, the blame lies with those people who still open unsolicited emails and download attachments that come with them. This is how viruses are spread so quickly.
It's true we need another layer of security to protect during the first hours of attack.
Have a look at www.mailcontroller.co.uk
the government etc allow this to go on whilst rapidly wasting millions on futile wars inviting these attacks from the ((radicals)) as they are termed , quite simply the governments of the world should foot the bill for they are the cause of all this furore breed hatred greed all that crap and thank you pls show this????
What is interesting, is that according to groklaw, while the domain name for SCO's web site may have changed, the ip address is exactly the same. Flimsy protection at best
I am so fed up of home users that just can't be bothered to install the correct software to get rid of viruses.
I person I know would much rather format her hard-drive than put up with the hassle of installing the software protection program. I think it's getting close to seeing the manufacturers and retailers not letting computers be sold WITHOUT the specialist software needed ... all they have to do then is register the software to be able to use it. Come on, retailers and all put the anti-virus software on at point of sale and then the viruses just will not be able to spread
1)The virus detection and removal needs to happen before the end users machine.
The layer of protection needs to be removed from the control of the end user. Most PC users are ignorant of the technology, and why shouldn't they be? Users of nearly every technology are the same. What percentage of car drivers could do simple maintenance tasks like changing their air filter or spark plugs?
or
2)It's all very well adding Anti Virus software to all PCs sold, but this won't solve the problem. Unless you have some method to force registration and regular updating the problem will not go away.
So there would need to be some new protocol for internet connection:
When a Machine attempts to connect,
the ISP queries the Anti Virus software. If it's not there or is out of date only the sites of AV vendors can be accessed.
or
3)The writers when found need to be severely punished. 1 day of community service or £1 for every machine compromised should do nicely. The possibilty of a lifetimes financial burden or labour for writing a successful virus would soon put writers off.
I was one of the first to be infected with my doom despite having all the layers of protecion inplace.
The first came from an educational establishment and I was very wary of opening an attachment that arrived unexpectedly.
I checked with my anti-virus vender (AVG) and then with Symantec labs - no knowledge of my doom on their systems.
Opened file and even then my anti-virus did not protect me.
We need another system of early warning or layer of software to protect us.
My-doom was encrypted so could not be easily read and that is partly to blame for my decision to open it, it looked harmless when the header and body were read prior to opening.
what do we do - ban all atachemnts from e-mails?
Any good software writers out there with a better idea on what we can do to protect the internet and our e-mail system before the mail system itself is not trusted?
Cheers,
George Monaghan
I would have thought most PC owners
would have adeqate AV protection by now.
Prevention is better than cure, & the
time taken to restore full service again, as well as the expence. When will they ever
learn??????????
I don't have any AV software. I have never gotten a virus. I have scanned before using other software, but then I uninstalled it because it was annoying and took up too much memory and inserted its tendrils into every part of my computer. Regardless, the scan showed no viruses. The reason I have no viruses is because, as a computer programmer, I understand how viruses work.
My computer is on and hooked up to the internet 24/7. The cable router that I have blocks any incoming IP attacks or whatever. I don't even care, it does what it is supposed to do. In other words, ignore stuff that I didn't ask for.
The reason I have Zone Alarm is to make sure my 'legitimate' programs do not connect to the internet without my knowledge. For example, Windows Media player is on prompt, because if I play a DVD, information about the DVD I'm watching is sent to Microsoft. Sometimes my Microsoft mouse tries to connect to the internet too.
For a while I got spyware from surfing the internet due to Microsoft's ActiveX stupidities. If you let all ActiveX objects run, then you get things like dialers and stupid monkeys on your computer. Now it is also on prompt, and I haven't gotten any ActiveX installed spyware since by using my best judgement as to when to run ActiveX objects. I occassionally run Ad-Aware to get rid of cookies, since they don't give you viruses, they just track your movements.
What I am saying, is that AV software is not necessary if you play it safe. The idea that viruses will get you no matter what is ridiculous. There's data, and then there's the execution of that data. For a virus to work, the data must run, otherwise it is just ones and zeroes. That viruses are everywhere and can't easily be avoided is just a myth perpetuated by greedy AV companies.
Did you know that if an e-mail has a virus attached to it, you can still read that e-mail? Did you know that you can still download the virus-ridden file? Did you know that you can throw that file in the trash bin and nothing will ever happen? Ooooo I'm livin' on the edge baby!
(html e-mails are different, as they can contain ActiveX objects. Just set your e-mail to receive plain text only.)
At least, that's the way I do things... maybe I have a virus right now... :O
perhaps the problem lies with users that have little or no knowladge of computers and buy them only because the neighbor has one.
Sandbox technology used on Norman's anti-virus software can and has prevented prviously unknown malware including MyDoom. Over the past few months it has detected MyDoom, Bagle and Zafi before signature files where available.
This post has been removed by a moderator.