A weekly UPI series examining the global telecommunications phenomenon known as the World Wide Web.
--
CHICAGO, Jan. 28 (UPI) -- Internet-based hacker-activists -- known as hacktivists -- seem to be behind the mass e-mailing this week of the MyDoom worm, which has commandeered consumers' computers around the globe to serve as a staging area for another, more potent attack on their primary, commercial target next month.
Computer experts told United Press International that MyDoom -- a self-replicating string of malicious computer code -- could turn out to be the most widespread worm of all time, topping last summer's well-known attack by the SoBig virus.
As of Tuesday, one of every nine e-mail messages being received by the average computer user was infected with the worm, according to research by Central Command, an anti-virus software maker in Medina, Ohio.
So far, there does not seem to be much consumers who use personal computers running Microsoft Corp. products can do to stop the worm -- once it has infected their systems. Computer scientists are striving to complete a cure for it.
"This worm appears to be a form of hacktivism," Gary Morse, president of Razorpoint Security Technology, a computer consultancy in New York City, told UPI. "It is only infecting machines that are running Windows as their operating system, not those that are running the Mac operating system or the Solaris operating system."
The worm does not destroy a PC's hard-drive, or erase its memory, but it does take command of the computer, turning it into a relay station for the hackers' future use.
"It appears to run through a user's address book and then propagate itself as widely as possible," Morse said. "It makes your machine into a zombie (that) can be controlled by the hacktivists."
Researchers at Symantec Corp.'s security response unit, with offices in Santa Monica, Calif., and in Europe, have discerned that MyDoom is programmed to stay dormant until Feb. 1, said Oliver Friedrichs, a senior manager at Symantec, during a teleconference with journalists Tuesday.
Friedrichs said by this weekend, all of the machines that have been hijacked will be deployed as relay stations for what appears to be a denial-of-service attack on the computers of SCO, formerly the Santa Cruz Organization, in Linden, Utah. In the attack, he explained, those relay stations will overwhelm the servers of the company's computers with so many e-mail messages that its network no longer will be able to function.
SCO is a computer company embroiled in an intellectual property battle with a number of other major players in the computer world.
"They have their own flavor of Unix," an operating system for technical computing projects, Morse said. "They are embattled with IBM and Red Hat and Novell in a fight over intellectual property rights for the software. This has set off discussions on Web boards around the world. And it appears that someone who does not like where SCO stands has taken matters into their own hands."
This is all part of the global, ideological war online between the backers of the free operating system Linux, a version of Unix, and the supporters of the industry standard, Microsoft Windows, Morse said.
The worm has assiduously avoided infecting computers that have e-mail addresses ending with .edu and .mil, David Kennedy, director of research services at TruSecure's ICSA Labs, a computer consultancy in Mechanicsburg, Pa., told UPI.
"My guess is that the worm was created by an English speaker, probably an American," Kennedy said. "The analysis of the snippets of code does not indicate that the person writes ungrammatically, like a non-English speaker might."
MyDoom was first detected around 3 p.m. EST on Monday and has been spreading steadily ever since.
"The volume that we're seeing today hasn't decreased," Friedrichs said. "That tells us that it is still spreading." On a threat scale of one to five, with five being the worst condition, this worm merits a threat rating of four, he said, and added, "The worm is affecting corporate users more than other worms have in the past."
Computers running Windows products, such as Windows 95, Windows 98, Windows NT and Windows 2000, are at risk, Friedrichs said. Consumers running those operating systems are advised to avoid downloading e-mail that contains a subject line indicating it is an error message and displays the text file attachment icon.
"It sends itself out through e-mail as an attachment," said Friedrichs. "One of the reasons that it is so successful is that it includes an icon of a text attachment. Users think it is an innocuous text document. It looks like it comes from their mail server. It looks like an error message."
Users can tell it is not a safe text file because it arrives with a .bat, .exe or .zip designation. They should avoid downloading files that end with those extensions, Friedrichs advised, even if the messages appear to be sent by colleagues or friends.
"It installs itself in the computer's directory," he said. "It adds a registry key to the operating system so it can survive a reboot."
The reason the unknown hacktivists are using the technology this way is quite straightforward.
"It looks like the infected system is attacking the target," Friedrichs said. "The attackers can completely hide their identity."
MyDoom, which also is called Novarg by its creators, is infecting files at the music download site, Kazaa.com, he said.
The upcoming attack on SCO is expected to commence Feb. 1 and end Feb. 12, Friedrichs said.
Though vicious, the code created by the hackers is far from a work of brilliance, experts said.
"There's not too much genius here," Morse said. "They used a common worm shell we've seen before to effect vulnerability in a Windows machine. But the real payload is staying dormant for the future attack."
--
Gene Koprowski covers the Internet for UPI Science News. E-mail [email protected]
