“The people who spend time creating viruses are spending
a lot of time exercising their creativeness to find new
ways of propagating their way through the system and making
them more difficult to detect….I think it’s unlikely
to expect that there will be fewer viruses written. Every
indication we have is that it will only continue to rise
and become more efficient in how they propagate themselves.”
Amit Yoran, Director US National Cyber Security Division,
Newsweek, January 29, 2004
The Damage
Now being called the fastest growing e-mail virus in history,
MyDoom did significant damage worldwide.
In its first week it:
• Accounted for 1 out of every 5 e-mails sent
• Infected as many as 2 billion computers (98% of which
were protected with traditional anti-virus software*)
• Caused an estimated $38.5 billion in damage –
one of the most damaging worms ever launched
• Shut down SCO’s web site completely
• Forced Microsoft to change its hosting sites
• Hit #1 on the January 2004 virus reports * CSI/FBI
annual Computer Crime and Security Survey, 2002
Finjan Proactively Protected Both Gateways and Desktops
Finjan’s patented behavior analysis and blocking enabled
Finjan customers to avoid MyDoom altogether.
Finjan’s gateway product, Vital Security for E-Mail
(SurfinGate for E-Mail), is configured to automatically
block files with EXE extensions. Instead of a virus, users
protected by Vital Security received e-mails in their inbox
informing them that the virus was stopped.
Users protected with Finjan’s Vital Security for Clients
(SurfinShield) had the virus automatically blocked using
the patented runtime monitoring. Vital Security for Clients
Blocked MyDoom In The Sandbox
Window of Vulnerability
The reason MyDoom was able to do so much damage is because
traditional, signature-based anti-virus Tsecurity is by
definition reactive. Before a signature can be created,
someone has to get infected and report it. Only then can
a signature be developed and distributed. During that entire
period, computers and networks are vulnerable to the virus
spreading its infection. For example, in 1999, an e-mail
attachment-borne contagion, Melissa, took 2 days to spread.
MyDoom infected systems worldwide within a few hours. Viruses
can now spread faster than you can respond. A layered defense
comprised of behavior inspection technology, desktop sandboxing
and gateway protection, as well as traditional anti-virus,
firewalls and intrusion detection, are all required to combat
today’s fast-spreading blended threats.
Window of Vulnerability Using Traditional Anti-Virus
Blended Threats
Blended threats utilize multiple techniques to deliver and
spread attacks. Traditional anti-virus protection isn’t
stopping blended threats from infecting entire networks
worldwide from the first strike. MyDoom is the latest blended
threat to hit. MyDoom was truly multi-talented:
• Inserted malicious code into attached files
• Downloaded infected files onto shared folders (peer-to-peer
propagation)
• Stole e-mail addresses
• Constructed its own SMTP engine and sent copies of
itself to stolen addresses
• Left ports open and vulnerable to future attacks
through the firewall
• Opened connections on TCP port 3127 in order to facilitate
spam distribution
• Launched a Denial of Service attack against SCO and
Microsoft
• Attempted to prevent anti-virus updates with a file
planted in the Windows folder
To
find out more about how blended threats from malicious mobile
code can impact your network download Finjan's
MMC White Paper.
MyDoom.B Targeted AV Sites
As with every virus, there are always “aftershocks”
… variants that try to further the exploit and inflict
even more damage. MyDoom was quickly followed by MyDoom.B.
This variant was unique; it targeted 65 web sites, including
the web sites of anti-virus vendors, in an effort to prevent
people from downloading signature patches and halting the
infection. 
Vital Security Blocked MyDoom At The Gateway
Finjan Doesn’t Require Updates
Neither Finjan’s gateway nor desktop product rely on
any signature updates or patches. Our patented behavior
inspection and blocking monitors all active content and
e-mails that enter your systems. Contextual analysis allows
us to quarantine new, unknown viruses the first time they
attack, ensuring your network remains uninfected. As a result,
Finjan customers were not affected by either MyDoom or MyDoom.B.
©Finjan Software
