The new wrinkle in MyDoom.M was its use of Google, Lycos, Yahoo and AltaVista. Upon infection, the virus launched search engine queries designed to identify valid e-mail addresses sharing the domain of the compromised machine. Google received about 45 percent of the queries, and experienced availability problems for several hours.
The search engines adjusted fairly quickly. Not so for many e-mail users. It’s been six months since the original MyDoom virus received huge publicity as it clogged e-mail systems and launched a distributed denial of service (DDoS) attack on The SCO Group.
MyDoom’s once novel social engineering trick – disguising its executable payload as a bounce message from an e-mail administrator – should be familiar by now. MyDoom.M masqueraded as an e-mail warning from a corporate IT department that the recipient’s machine had been compromised, a gambit used in recent phishing scams targeting eBay, Citibank and U.S. Bank, among others. Did these scams receive a click-through rate similar to the MyDoom.M attachments? Neither the target companies nor victimized customers are likely to say, but the evidence is not encouraging.
Internet users who were briefly deprived of Google access Monday will recover quickly. The thousands of e-mail users that opened the MyDoom.M attachment have larger problems, as the virus was programmed to install a backdoor component that listens on port 1034, which will now be the object of interest from hackers.
Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.