As victims clean up, Mydoom mail keeps coming

The Mydoom e-mail worm that first appeared Monday is spreading more slowly, but the flood of infected e-mail messages it is generating shows no sign of abating, according to antivirus and e-mail security companies.

As organizations clean up following the outbreak, attention is turning to the enormous network of infected machines that continue churning out e-mail messages and will launch a 12-day long distributed denial-of-service (DDOS) attack against Unix software company The SCO Group Inc. on Sunday, said Mikko Hyppönen, antivirus research director at F-Secure Corp.

E-mail security company MessageLabs Inc. of Gloucester, U.K. has stopped 8.4 million e-mail messages containing copies of the worm since Monday, said Natasha Staley, information security analyst at MessageLabs.

“The virus has slowed down from the first 24 or 48 hours, but it’s still out there in pretty huge numbers,” she said.

About 20 percent of the e-mail received by servers owned by the city of Boston are Mydoom-generated e-mail. So far this week the city has received “thousands and thousands” of Mydoom messages, said Craig Burlingame, the city’s chief information officer.

To the south, North Carolina State University (NC State) in Raleigh is still receiving about 1 million Mydoom e-mail messages a day, five days after Mydoom first broke out on the Internet, said Tim Lowman, a systems architect at NC State.

The university has been receiving about 2.4 million messages a day since the outbreak began, double its normal volume, which is taxing mail servers, but has not slowed the delivery of e-mail, he said.

The flood of Mydoom e-mail is a credit to the worm’s super-efficient SMTP (Simple Mail Transfer Protocol) engine and to a slightly different approach to sending mail from earlier worms like Sobig-F, Hyppönen said.

Unlike earlier e-mail mass mailing worms, Mydoom not only sends e-mail messages to the addresses it culls from infected machines, it keeps sending mail to those same addresses in a never-ending loop, until the virus reaches its Feb. 2 expiration date, he said.

NC State saw infections on about 500 of the 30,000 or 40,000 hosts on the university network. Most of those infections were linked to systems in student dormitories, despite the fact that students received free copies of Symantec Corp.’s Norton Antivirus software from the university, Lowman said.

However, after suffering through an outbreak of the Sobig worm, NC State deployed a series of e-mail “governors” across the campus, monitoring mail traffic from individual hosts, and limiting each host to no more than 100 messages an hour. Despite an ice storm that shut down the campus on Monday, just as Mydoom was circulating, the governors were able to shut off e-mail access for Mydoom-infected hosts and keep them from sending out e-mail copies of the virus, he said.

“Most of our response was handled by automated processes and I was very pleased with how that worked,” he said.

While organizations and individuals mop up after Mydoom, attention is shifting to the planned DDOS attack that the worm will launch on The SCO Group’s Web site Sunday.

Network Associates Inc.’s McAfee antivirus unit said late Thursday that between 400,000 and 500,000 machines worldwide are believed to be infected with Mydoom. F-Secure puts the number at a “couple hundred thousand” hosts, Hyppönen said.

Whatever the exact number, the Mydoom author has a “huge” network with which to launch an attack, Hyppönen said.

Even large companies such as Microsoft Corp. would be challenged to handle traffic from so many systems. SCO is not such a company and has been knocked offline by much smaller DDOS attacks in the past, he said.

SCO did not immediately respond to a request for comment.

At NC State, administrators are worried more about compromised machines being procured by spammers than they are about them being used as zombies in a denial of service attack, Lowman said.

NC State has been careful to maintain good relationships with antispam blacklist organizations in the past and does not want to risk getting blacklisted because spammers take advantage of a backdoor created by Mydoom on infected machines, he said.

The university’s IT staff is busy patching infected systems and will monitor their e-mail use closely in the future, using the e-mail governors to cut off so-called “chatty hosts” that start to distribute large volumes of e-mail, he said.