Cyber alert system debuts as super worm spreads
The e-mails target home users and other people not familiar with the technical jargon that often accompanies private sector warnings. Individuals, businesses and government agencies also use those alerts to keep tabs on Internet threats and to get advice on how to mitigate their damaging effects.
The launch of the National Cyber Alert System came as a virulent new worm spread rapidly across the Internet through e-mails, infecting hundreds of thousands of computers.
Security experts discovered the worm, called Mydoom, on Monday as it arrived in computer users' e-mail boxes. An infected message, often with the subject line "hi" or "test," contains an attachment that, when opened, allows the worm's controller to commandeer the infected machine. The controller can then command the machine, called a zombie, to bombard Web sites with electronic messages. The massive flow, known as a denial of service attack, can cause a Web site to shut down.
On Wednesday afternoon, new versions of the Mydoom worm appeared. Experts believe it is more powerful than the first. The worm is designed to launch an attack on Microsoft Corp.'s Web site in February.
Mydoom also blocks infected users' access to 65 other Web sites, most of which are run by anti-virus companies, said Ken Dunham, a virus analyst with iDefense Inc. This prevents users from accessing Web sites where they could download digital remedies to disinfect or protect their computers, he said.
Other experts tracking the worm, which also goes by the names Novarg and Shimgapi, said data indicates attackers are commandeering zombies for Web attacks and to launch more worm-carrying e-mails. Some reports said as many as 500,000 computers had been infected.
Dunham said his lab noticed that other computer attackers were trying to commandeer machines already infected by Mydoom. But on Wednesday, the original author began uploading command files into infected machines that would effectively lock out all other attackers, because only the author would know how to access those files. In effect, the attacker has put a lock on some computers, and he has the only key.
The Mydoom worm sends itself using an unsuspecting user's e-mail address, a technique called spoofing. This doesn't mean the user is infected, but it could be a sign that the worm bit someone who has the spoofed user's address in his contacts file.
Mydoom also has arrived as a message masquerading as a security warning. The message urges users to open attachments with important information about the infection, a strategy that experts said shows virus and worm writers continue to use psychological trickery to get users to infect their machines.
The rapid rise and spread of Mydoom provided an ironic backdrop to Homeland Security's announcement of the new security alert system. Amit Yoran, the director of the department's national cybersecurity division, said the government's system was not intended to compete with existing alert plans run by private sector security companies and other experts.
Yoran said his division would stay apprised of Mydoom's developments to assess its impact on national infrastructures and businesses. He said the center would follow a similar strategy during future virus and worm outbreaks. The United States Computer Emergency Readiness Team (US-CERT), a consortium of government agencies and private sector and academic members, will manage the operations of the alert center, according to Homeland Security.
Users can sign up for e-mail alerts at http://www.us-cert.gov. By mid-afternoon Wednesday, the Web site had posted no warnings or information about Mydoom.
Meanwhile, Mydoom showed no signs of relenting. According to virus tracker mi2G Intelligence Unit in London, the worm had spread to more than 170 countries in less than 48 hours. The company also estimated that loss of business, bandwidth clogging and productivity declines caused by dealing with the worm had caused $3 billion of "economic damage."
SCO Group Inc., a Utah company that has been embroiled in legal tussles with Linux, the major purveyor of open source software, offered a $250,000 reward for information leading to the apprehension and conviction of the Mydoom author or authors. The company's Web site has been attacked numerous times in the past 10 months, according to CEO Darl McBride. Mydoom reportedly targets SCO's Web site for a denial of service attack in February.