Why Is MyDoom Author Spreading Source Code?

Among its other nefarious activities -- which include a denial-of-service attack on Microsoft's primary Web site, Microsoft.com -- MyDoom.c (which also goes by the name of Doomjuice) drops a compressed copy of MyDoom's source code into a number of directories on the compromised machine.

"There is already a $500,000 reward for information leading to the conviction of MyDoom's author," said Graham Cluley, senior technology consultant for Sophos in a statement. "If he has spread his code around the Net onto innocent computers in an attempt to hide in the crowd, then he's more sneaky than the average virus writer."

Two weeks ago, Microsoft and The SCO Group each offered a quarter-million dollar bounty for information leading to the arrest and conviction of the maker of the original MyDoom and the first variant, MyDoom.b.

Several security analysts have gone on the record saying that they think one individual wrote both MyDoom and MyDoom.c/Doomjuice.

"They were definitely done by the same person or group," said Ken Dunham, the director of malicious code research for iDefense. "It's somewhat circumstantial," he said of the evidence, but it's there nonetheless. Among the clues: the seeding of MyDoom source code on infected PCs.

"There is the chance that the author [of MyDoom.c/Doomjuice] is doing this as a way to cover his tracks," agreed Dunham.

If true, then Cluley's take on the rationale for spreading MyDoom source code may be on the mark. But even he's hedging his bets.

"The other possibility is that MyDoom's author is spreading the code to encourage others to write copy-cat viruses which try and mimic MyDoom," Cluley admitted.

Dunham took an even more aggressive position that this is the real reason why MyDoom's source code is being distributed by MyDoom.c/Doomjuice.

Rather than spread the MyDoom source code as a way to muddy the legal waters in case he is caught, Dunham sees the inclusion of the code as a clever dissemination tactic. His impression is that the attacker wants to put the code into the hands of as many fellow travelers as possible in the hope that others will pick up on his work, and continue the denial-of-service attacks against Microsoft and other sites.

"The kind of person who creates a worm like this, who spends all this time planning, isn't generally the kind of guy who is going to fear prosecution," Dunham said.

"He has one goal: mass disruption," said Dunham. "Although he won the battle against SCO, he lost against Microsoft in the first round. I think he's just been spited, and is saying, 'You think you've won, well guess what, I'm going to try this. Neener neener.'"

Security experts and analysts agree that users -- both consumers and those in business -- should seek out and destroy all MyDoom infections, or risk continued attacks through open ports and backdoors, the approach used by MyDoom.c/Doomjuice to re-infect computers.

Along those lines, Microsoft on Monday posted a revised MyDoom removal tool updated to account for MyDoom.c/Doomjuice. The new tool, available at Microsoft's Download Center, cleans machines infected with MyDoom.a (the original worm), MyDoom.b, and Monday's MyDoom.c/Doomjuice.

This story courtesy of TechWeb News