Mytob Family Reproduces Like Rabbits - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:14 PM

Mytob Family Reproduces Like Rabbits

Since its debut about six weeks ago, 40 Mytob variants have appeared, a new record for a worm. The writers are trying to get it past anti-virus defenses by constantly tweaking it. Two sites offer free removal tools - Symantec and Sophos.

The Mytob worm family has grown by leaps and bounds -- half a dozen variants just this past weekend -- and is a marker of the trend toward more-more-more by virus and worm writers, a security analyst said Monday.

Since its debut about six weeks ago, 40 Mytob variants have appeared, a new record for a worm in the quantity count.

"The writer or writers of Mytob have been very busy creating variants," said Graham Cluley, an analyst with the U.K.-based anti-virus vendor Sophos. "They're trying to get it past anti-virus defenses by making small changes, and constantly tweaking it."

The half-dozen versions that rolled out over the weekend, said Cluley, point out the lengths to which virus writers will go to sneak by defenses. "The writers will produce a version, which is then detected by anti-virus labs, then the writers create a new version to top the last one. In the case of those over the weekend, they were similar enough that we could say they were all from the Mytob family, and detect them with a generic signature already in place."

Mytob is a mass-mailed worm that includes its own SMTP engine to spread itself to other PCs after hijacking addresses from an infected system. It also includes a backdoor component which lets the hacker send additional commands and/or files to the compromised computer to turn it into a spam-spewing zombie, or to load spyware for snapping up usernames and passwords.

Although it doesn't include any revolutionary characteristics, it does, said Cluley, use a broad reach of hacker tactics. It tries to disable a large number of firewalls and anti-virus programs, changes the Windows HOSTS file so that users can't update their machines, and scans for computers that haven't been patched against the LSASS vulnerability in Windows, which was first disclosed in August 2004.

"Over the last year or so, virus writers have concentrated on putting out large numbers of variants," said Cluley. "Now that worms and viruses are being written for financial reasons -- to gain control of a PC to turn it into a zombies, say -- writers have a real incentive to get past defenses."

Mytob seems to be similar in some ways to the longer-running MyDoom family -- Sophos renames the most recent Mytob worms as a generic MyDoom when its anti-virus software detects them -- and at least one security firm suspected that that's no coincidence.

"The source code of MyDoom seems to have been used as a basis to create the Mytob worms," said Luis Corrons, the head of Panda Software's research labs. But the Mytob creator upped the MyDoom ante by adding his own twist, said Corrons. "Some modifications have been made, as they are also programmed to exploit the Windows LSASS vulnerability, which allowed the Sasser worm to launch a widespread attack in 2004."

Alfred Huger, senior director of engineering at Symantec's security response team, disagreed, and said that the sheer number of variants was likely due to one of two things.

"One, the source code for this may have become available to others," Huger said. "Frankly, the virus community does a better job of 'sharing' than the commercial software world."

The second possibility, he said, was that the backdoor communication channel of each variant was quickly being shut down, forcing the writer (or writers) to crank out another version. "The Trojan component is controlled from an IRC network," said Huger. "As each variant appears, its IRC network is being shut down, which is probably why the author is pumping out new releases."

While no security firm has tagged Mytob with a red alert status -- most have labelled it as a moderate threat or lower -- it is creeping up the charts, said Sophos' Cluley. "In the last 24 hours, we're showing a Mytob at number seven and number eleven."

Huger agreed. "Yes, there have been a much higher than average number of Mytob variants, but it's getting little uptake," he said, "mostly because all the anti-virus companies are detecting it."

Some vendors have posted Mytob removal tools for those who have been infected, and lack anti-virus software that will do the job. Symantec, for example, has a free removal tool on its site, as does Sophos.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll