The new worm, DoomJuice.B, sets random HTTP headers to make it more difficult to filter the attack traffic, seeking to work around a defensive measure used by Microsoft earlier this week, when www.microsoft.com dropped requests without User-Agent headers to differentiate between Web browsers and the DDoS attack agents. The DoomJuice.B DDoS also initiates twice as many requests as its predecessor, launching 32-192 parallel threads instead of the 16-96 of DoomJuice.A.
The first DoomJuice (also called MyDoom.C) was found Monday and targeted Microsoft's web site, which experienced performance problems during that general time frame. The army of "zombie" computers potentially commanded by DoomJuice.B is likely be smaller than the original pool of MyDoom.A-compromised machines that have kept the the SCO website offline since Feb. 1 with a DDoS attack. DoomJuice uses a backdoor left open by MyDoom.A to propagate itself, foregoing efforts to spread through e-mail and peer-to-peer file sharing networks.
Some estimates placed the number of MyDoom.A infections at more than 400,000. Widespread news coverage of MyDoom has likely led to a reduction in that number, as users become educated and secure their computers. But as of yesterday more than 65,000 IP addresses were actively scanning to and from port 3127, the backdoor left open by MyDoom.A., according to data from the SANS Institute's Internet Storm Center.
Performance data for all the sites involved in the MyDoom/DoomJuice DDoS efforts is located here.