Attack Analysis: Observation of the Novarg/MyDoom Worm

DDoSVax
Project Description
Attack Analyses
Publications

Student Theses

Cluster "Scylla"

Contact

Authors: Thomas Dübendorfer, duebendorfer@tik.ee.ethz.ch, Arno Wagner, wagner@tik.ee.ethz.ch
initial version January 26th, 2004

Introduction

On 26th of January, the Novarg/MyDoom e-mail worm first appeared. It is a malicious program that runs on MS Windows systems and must be explicitly executed by the user to install and activate itself.

Similar to the Sobig.F worm of August 2003, this new worm provides its own mail transfer agent application and replicates itself by sending copies of itself as an e-mail attachment (.scr, .exe, .pif, .cmd, .bat, or .zip) of roughly 30 kBytes. An arbitrary recipient and sender are taken from the local e-mail address book and other local files to make the attachment look like it originated from a known person.

Additional "features" of the worm are that it copies itself to the local KaZaA P2P file sharing directory if available and that it will start a DDoS attack on www.sco.com after a reeboot on Feb 1st 16:09:18 UTC. After Feb 12th this attack will cease, however, the backdoor, which is installed on ports 3127-3198/TCP, will remain.

Characteristic for monitoring the spreading of Novarg/MyDoom is an increased activity on the e-mail service (SMTP 25/TCP).

Below we discuss a few network traffic statistics that were generated for the time of the initial spreading phase of the Novarg/MyDoom worm. The network traffic shown is the total of all Internet e-mail traffic (SMTP on 25/TCP) leaving or entering the SWITCH network, a moderately sized backbone network carrying roughly 5% of all Internet traffic from and to hosts in Switzerland.

As a first estimate, one can that say during the spreading of Novarg/MyDoom an increase of 14% (for Tue, 27th Jan. 2004) to 30% (for Wed, 28th Jan 2004) in e-mail traffic size (measured in number of bytes per hour) was observed. Compared to the e-mail worm Sobig.F of August 2003, which caused a five fold increase in e-mail traffic load within the initial hour of its spreading, the Novarg/MyDoom worm seems to be quite harmless.

Possible reasons for the moderate worm spreading observed are:

  • Public awareness of e-mail worms: Many computer users did not activate the worm code by executing the attachment (as they remembered Sobig.F)
  • Up-to-date anti-virus software: Novarg/MyDoom virus signatures for e-mail virus scanning software were available by Jan 27th from most antivirus software vendors and widespread automatic update mechanisms applied them fast to most corporate e-mail servers and home computers
  • Firewall SMTP filtering: Some network operators installed e-gress filtering to catch e-mails sent to arbitrary Internet e-mail servers during the Sobig.F attack, which now prevented also this e-mail worm from spreading after worm activation behind such a firewall

Observation Setup

The graphs are based on Cisco Netflow data exported by all SWITCH border routers. Due to the amount of data captured, it is split into one-hour intervals, which currently start and end 12 minutes past the full hour. For all graphs the time given is the start-time of such an interval.

Processing an one-hour interval of data to generate these graphs took about 15 minutes on an Athlon XP 2200+. The calculations wered done on the TIK cluster "Scylla".

Interpretation

The first graph shows the total number of bytes per hour tranferred as e-mail (SMTP) traffic over the border routers of the SWITCH network. It can be clearly recognized that there is a daily rhythm. The five weekdays have rather heavy traffic with a maximum around 12 GiBytes per hour, whereas on Saturdays and Sundays the traffic is considerably less. The daily lunch break can be seen nicely during weekdays.

On Tuesday, 27th of January 2004 starting in the early afernoon local Swiss time there is a noticeable increase in bytes transferred that rises up to around 14 GiBytes/hour on Tuesday and 18 GBytes/hour on Wednesday, which is approximately 15%-30% more than ordinary. This can be regarded as the outbreak of the Novarg/MyDoom worm. The e-mail traffic is almost back to ordinary by Friday, 30th of January.

The second graph shows the number of connections per hour split by origin of the e-mail sender. Interestingly, arounf midnight on Sunday, 25th we have a huge increase in the number of SMTP connections originating from SWITCH-external hosts and destined to SWITCH-internal hosts on the e-mail port 25/TCP. It raises from 0,7 mio. connections in the previous hour to 1,15 mio. connections and back to 0,65 mio. connections in the next hour.

The third graph shows the number of unique hosts per hour sending e-mails. The number of hosts sending e-mails is about 20% higher on Tuesday, 27th January 2004 compared to the week before. Almost exclusively SWITCH-external hosts are responsible for this increase.

DDoS Attack on www.sco.com

The MyDoom.A virus was expected to launch a DDoS attack on www.sco.com around 16:10 UTC on February, 1st. Sometime between 17:40 and 18:00 UTC the site was not resolvable via DNS anymore at ETH, thus stopping the attack reliably. (MyDoom.A uses DNS resolution to prevent a defense where the IP address of the target is simply changed.) Immediately before and during the inital hour of the attack www.sco.com resolved as 216.250.128.12.

While we did see some attack traffic to this site, it was generated by a very small number of hosts and does not merit a graphical representation.

  • Between 15:13 and 16:13 UTC we saw 9 hosts connecting to www.sco.com, sending altogether 14kB of data in 31 flows. It can safely be stated that none of these hosts was conducting a DoS attack on the site.
  • Between 16:13 and 17:13 UTC we saw 12 hosts connecting to www.sco.com, sending around 605MB in about 12'000'000 packets, or 24'000 flows. Some of these flows are caused by people that wanted to see whether www.sco.com was still reachable. Both of the author's IP addresses are there, since we tested availability of www.sco.com.
    A more detailed analysis shows that only two IP addresses generated more than 10 flows to www.sco.com. One generated around 4000 flows and the other around 20'000 flows.
    At the same time we saw other traffic from about 200'000 unique IP addresses within the SWITCH network (AS 559). The overall IP address range is roughly a /11, with about 2'270'000 IP addresses.
  • Between 17:13 and 18:13 UTC we observed 7 hosts sending about 2.5kB of data to the SCO site. This did not increase significantly in the following hours.

Clearly not many hosts in the SWITCH network did attack www.sco.com. It seems unlikely that only such a low number of hosts was infected and online. In addition e.g. at ETH there was no filter in place to block attack traffic and ETH has >10'000 computers with some Windows installations that are patched rather sloppily. What seems more likely is that only a fraction of the hosts infected and online did actually participate in the attack. That would be consistent with the fact that we could not observe the DoS attack in a testbed with a MyDoom.A infected machine.

One other noteworthy fact is that while we saw around 24'000 flows to www.sco.com, we saw around 76'000 flows comming from www.sco.com, port 80 with around 194'000 packets in them. It seems likely that about 50'000 of these flows where back scatter from www connections with spoofed source addresses, i.e. SYN-flooding to port 80. This activity started earlier that the virus-driven attack, since we already saw 35'000 flows from www.sco.com, port 80 without corresponding flows in the other direction in the hour before the virus started to attack.

Conclusion: Only an extremely small number of hosts in the SWITCH network participates in the DDoS attack and the generated traffic was minor. The SWITCH network carried about 360GiB data in 570'000'000 packets during the time from 16:13 to 17:13 UTC. The DDoS attack generated roughly 0.2% of the data and 2% of the packets observed.

In addition it seems that there was significant SYN-flooding on www.sco.com during the time the virus was expected to start its attack. The total number of flows generated in the SYN-flooding is higher than the number of flows in the attacks from MyDoom.A. SYN-flooding can be mitigated by special devices, while the web-server itself has to deal with the Application-Layer attack of the virus. It is therefore impossible to say which type of attack did more damage.

Limitations in this Observation

  • No attempt was made to distinguish normal e-mail and Novarg/MyDoom-created connections to SMTP-port 25/TCP.
  • There is some transit-traffic in the SWITCH network (not much). Flows in transit are currently counted twice.

(c) 2004  DDoSVax at TIK CSG ETH Zurich, Thomas Dübendorfer, Arno Wagner, last change: 4th May 2004