INTRODUCTION TO SECURITY

ONE ASSIGNMENT WITH CUT OFF DATE

ONE EXAM
INTRODUCTION TO SECURITY

52 LABS ARE PART OF EXAM

THREAT
Any activity that represents a possible danger to your
information
(Attackers routinely scan systems on the Internet looking for
open ports)

VULNERABILITY
A weakness in your security that could be exploited by a
threat
(You misconfigured your firewall and left a port open)

Always check with trusted sites like Microsoft Web Sites for
Security Threats

[Type text] Page 1

Microsoft.com/technet/security/best

Trusted Computing Base—Security

Although numerous in the United States there is only one or
two in this country.

Defense in Depth
Network Protected

[Type text] Page 2

Operating System

BotNet

[Type text] Page 3

Name: - Mydoom, also known as W32.MyDoom@mm,
Novarg, Mimail.R and Shimgapi

This is a computer worm affecting Microsoft Windows.

It was first sighted 26th January 2004, it became the fastest
spreading e-mail worm ever and exceeding previous records
set by the Sobig worm.
Mydoom appears to have been commissioned by e-mail
spammers in order to send junk e-mail through infected
computers.
The worm contains the text message “Andy, I’m just doing
my job, nothing personal, sorry”. This led many to believe
that the worm’s creator was paid. Early on, several security
firms published their belief that the worm originated from a
professional underground programmer in Russia. (The actual
author of the worm is unknown).
Speculative early coverage held that the sole purpose of the
worm was to perpetrate a denial-of-service attack against
Santa Cruz Operations (SCO Group). 25% of Mydoom.A-
infected hosts targeted www.sco.com with a flood of traffic.
Trade press conjecture, spurred on by SCO Group’s own
claims, and held that this meant the worm was created by a
Linux or open source supporter in retaliation for SCO Group’s
controversial legal actions and public statements against
Linux. This theory was rejected immediately by security
researchers. Since then, it has been likewise rejected by law

[Type text] Page 4

enforcement agents investigating the virus, who attribute it to
organized online crime gangs.
Initial analysis of Mydoom suggested that it was a variant of
the Mimail worm—hence the alternate name Mimail.R—
prompting that the same persons were responsible for both
worms. Later analyses were less conclusive as to the link
between the two worms.
The name Mydoom came from Craig Schumager of McAfee,
one of the earliest discoverers of the worm. He chose the
name after noticing the text “mydom” within a line of the
program’s code. He noted “It was evident early on that this
would be very big. I thought having ‘doom’ in the name
would be appropriate”

Mydoom is primarily transmitted via e-mail, appearing as

a transmission error, with subject lines including “Error”,
“Mail Delivery System”, “Test” or “Mail Transaction
Failed” in different languages, including English and
French. The mail contains an attachment that, if
executed, resends the worm to e-mail addresses found in
local files such as a user’s address book. It also copies
itself to the “shared folder” of peer-to-peer file-sharing
application KaZaA in an attempt to spread that way.
It avoids targeting e-mail addresses at these Universities: -
Rutgers, MIT, Stanford, and UC Berkeley as well as
Microsoft and Symantec.

[Type text] Page 5

The original version, Mydoom.A, is described as carrying
two payloads
 A backdoor on port 3127/tcp to allow remote control of
the subverted PC (by putting its own SHIMGAPI.DLL
file in the system 32 directory and launching it as a child
process of the Windows Explorer)
 Denial-of-service attack against the website of the
controversial company SCO Group, timed to commence
1st February 2004. Many virus analysts doubted if this
payload would actually function. Later testing suggests
that it functions in only 25% of infected systems

A second version, Mydoom.B, as well as carrying the original

payloads, also targets the Microsoft website and blocks HTTP
access to Microsoft sites and popular inline antivirus sites,
thus blocking virus removal tools or updates to antivirus
software. The smaller number of copies of this version in
circulation meant that Microsoft’s servers suffered few ill
effects.
TIMELINE
26th January 2004—First identified around 08:00 EST
attacking SCO Group website temporarily
27th January 2004—SCO Group offers a US $250,000.00
(£159,235.67 approx) for the arrest of the worm’s creator. In
the US, the FBI and the Secret Service begin investigations.
28th January 2004—Mydoom.B messages are noticed around
14:00 UTC
[Type text] Page 6
The spread of MyDoom peaks; computer security companies
report that Mydoom is responsible for roughly one in five e-
mail messages at this time
29th January 2004—The spread of Mydoom begins to decline
as bugs in Mydoom.B’s code prevent it from spreading as
rapidly as first anticipated. Microsoft offers US $250,000.00
reward for information leading to the arrest of the creator of
Mydoom.B
(Please note this makes a total of US $500,000.00 and
£318,471.33)
1st February 2004—Approximately 1,000,000 computers
globally were infected by Mydoom using the distributed
denial of service (DDOS)
3RD February 2004—Mydoom.B’s DDOS against Microsoft
begins, which Microsoft offer a website which will not be
affected by the worm
9th February 2004—Doomjuice—a parasitic worm, starts
spreading. This worm uses the backdoor left by Mydoom to
spread. It does not attack non-infected computers. Its
payload, akin to one of Mydoom.B’s, is a denial-of-service
attack against Microsoft.
12th February 2004—Mydoom.A is programmed to stop
spreading. However the backdoor remains open.
1st March 2004—Mydoom.B is programmed to stop
spreading, as with Mydoom.A, the backdoor remains open.
26th July 2004—A variant of Mydoom attacks Google, Alta
Vista, and Lycos completely stopping Google for
[Type text] Page 7
approximately 24 hours and slowing down Alta Vista and
Lycos.
10th September 2004—Mydoom versions U, V, W, and X
appear, sparking worries that a new, more powerful Mydoom
is being prepared.
18th February 2005—Mydoom version AO appears
July 2009—Mydoom resurfaces in July 2009 cyber attacks
affecting South Korea and the United States

This information was updated as of 9th October 2009

[Type text] Page 8