Mydoom Virus Targets Internet Ad Servers

Several major Internet advertising hosts are among the many targets of a new Mydoom virus that is plaguing Internet users in the guise of undelivered e-mail.

According to Symantec Security Response, the virus blocks computers it infects from accessing a list of about 60 Web sites, among them sites that deliver ads hosted by DoubleClick, FastClick and Atlas DMT, a subsidiary of aQuantive. An infected computer would be unable to access ads that originated from these Web sites.

Other sites blocked by the virus include the Microsoft Windows Update site and several anti-virus and security Web sites, including Symantec's own home page.

A virus that targets Internet advertising companies in this way is unusual, said Richard M. Smith, a privacy and Internet security consultant. The virus might have originated in Russia, the source of recent virus attacks that were launched by spammers, he said.

“In some sense, it's like they're going after their competitors,” he said. “That's a stretch, but it's not just a bunch of random hackers.”

However, in this case, the damage incurred by Internet ad hosts targeted by the virus will be minimal because the number of computers affected will be relatively small, Smith said.

Mydoom first appeared on the Internet early this week disguised as a jumbled e-mail and later in the form of an undelivered and returned e-mail. On Jan. 28, a new version of the virus appeared.

It is this new version that targets the Internet ad companies. However, this version, known as Mydoom.b, has been slow to propagate, said Steven Sundermeier, vice president of products and services for Central Command, Medina, OH, a provider of anti-virus software.

Central Command blocks tens of thousands of copies of the first version of the virus each hour, Sundermeier said. In contrast, Mydoom.b is barely registering.

There is much anti-virus-industry speculation on why Mydoom.b has been unsuccessful, but a flaw in the program code may be responsible, Sundermeier said.

DoubleClick technicians noted that problems with accessing its ad-serving Web sites were just one of the potential difficulties that users of infected computers could experience with Mydoom, a company spokeswoman said.

“The general reaction is that any user with a PC infected by a virus is going to experience multiple problems across the boards,” the spokeswoman said. “Breakage in ad serving is just one possibility coming from any vendor.”

Representatives of Atlas DMT and FastClick did not return phone calls for comment yesterday.

Recent virus outbreaks have focused on making money for virus authors by stealing personal information that can be used in identity theft scams, Sundermeier said. In this case, the virus appears to be trying to take money away from Internet ad hosts, perhaps to fulfill a grudge held by the author.

“Attacks are typically sent against things they are angry at,” he said. “That's the nature of this beast.”

Internet advertisers are only secondary targets of the virus. Mydoom's bigger threat stems from its ability to hijack computers to serve as gateways by which it can access private computer networks.

The virus also has a “time bomb” element. Security experts expect Mydoom to force computers it infects to launch a “denial of service attack” — in which Web sites are flooded with traffic to shut them down — against the Web sites of SCO Group Inc. on Feb. 1 and Microsoft on Feb. 2.

Microsoft is a common target of e-mail viruses. SCO Group has roused the anger of some in the IT industry because of its lawsuit against IBM over use of the popular Windows-alternative Linux operating system.

Related Posts