Mytob Worm Family Reproduces Like Rabbits
Since its debut about six weeks ago, 40 Mytob variants have appeared, a new record for a worm in the quantity count.
"The writer or writers of Mytob have been very busy creating variants," said Graham Cluley, an analyst with the U.K.-based anti-virus vendor Sophos. "They're trying to get it past anti-virus defenses by making small changes, and constantly tweaking it."
The half-dozen versions that rolled out over the weekend, said Cluley, point out the lengths to which virus writers will go to sneak by defenses. "The writers will produce a version, which is then detected by anti-virus labs, then the writers create a new version to top the last one. In the case of those over the weekend, they were similar enough that we could say they were all from the Mytob family, and detect them with a generic signature already in place."
Mytob is a mass-mailed worm that includes its own SMTP engine to spread itself to other PCs after hijacking addresses from an infected system. It also includes a backdoor component which lets the hacker send additional commands and/or files to the compromised computer to turn it into a spam-spewing zombie, or to load spyware for snapping up usernames and passwords.
Although it doesn't include any revolutionary characteristics, it does, said Cluley, use a broad reach of hacker tactics. It tries to disable a large number of firewalls and anti-virus programs, changes the Windows HOSTS file so that users can't update their machines, and scans for computers that haven't been patched against the LSASS vulnerability in Windows, which was first disclosed in August 2004.
"Over the last year or so, virus writers have concentrated on putting out large numbers of variants," said Cluley. "Now that worms and viruses are being written for financial reasons -- to gain control of a PC to turn it into a zombies, say -- writers have a real incentive to get past defenses."
Mytob seems to be similar in some ways to the longer-running MyDoom family -- Sophos renames the most recent Mytob worms as a generic MyDoom when its anti-virus software detects them -- and at least one security firm suspected that that's no coincidence.
"The source code of MyDoom seems to have been used as a basis to create the Mytob worms," said Luis Corrons, the head of Panda Software's research labs. But the Mytob creator upped the MyDoom ante by adding his own twist, said Corrons. "Some modifications have been made, as they are also programmed to exploit the Windows LSASS vulnerability, which allowed the Sasser worm to launch a widespread attack in 2004."
Alfred Huger, senior director of engineering at Symantec's security response team, disagreed, and said that the sheer number of variants was likely due to one of two things.
"One, the source code for this may have become available to others," Huger said. "Frankly, the virus community does a better job of 'sharing' than the commercial software world."
The second possibility, he said, was that the backdoor communication channel of each variant was quickly being shut down, forcing the writer (or writers) to crank out another version. "The Trojan component is controlled from an IRC network," said Huger. "As each variant appears, its IRC network is being shut down, which is probably why the author is pumping out new releases."
While no security firm has tagged Mytob with a red alert status -- most have labelled it as a moderate threat or lower -- it is creeping up the charts, said Sophos' Cluley. "In the last 24 hours, we're showing a Mytob at number seven and number eleven."
Huger agreed. "Yes, there have been a much higher than average number of Mytob variants, but it's getting little uptake," he said, "mostly because all the anti-virus companies are detecting it."
Some vendors have posted Mytob removal tools for those who have been infected, and lack anti-virus software that will do the job. Symantec, for example, has a free removal tool on its site, as does Sophos.