Someone to watch over the ‘Net

A behind-the-scenes look as the Internet Storm Center’s Johannes Ullrich battles the MyDoom-O virus.

As a new variant of the MyDoom virus  begins spreading across the Internet, slowing search engines to a crawl in the late morning of July 26, Johannes Ullrich jumps into action.

Ullrich, CTO at the SANS Institute’s Internet Storm Center (ISC) and one of 30 “handlers” who cover the storm center round the clock, is on duty this morning. He doesn’t have far to go to find the virus; there are already a bunch of copies in his e-mail in-box.

He gets to work, first saving a copy of the virus code (a file called instruction.exe), and then using VMWare software, which lets you run multiple operating systems  on a single device, he executes the virus in Windows 2000 to see what it does.

By using VMWare on his SuSE Linux system, Ullrich can create an operating system sandbox that prevents permanent damage from a virus or rogue application. As soon as the VMWare session is restarted, the virtual Win 2000 session essentially is wiped out and a clean install is created. While most malicious applications use file encryption to help mask their intentions, a tool called LordPE lets Ullrich capture the program as it runs. The Ethereal  protocol analyzer lets him see what network ports the virus is using and what type of traffic it generates on a packet-by-packet basis.

Ullrich observes MyDoom-O pinging three IP addresses on Port 1034 when it activates, but the three addresses don’t respond. The remote systems could be overloaded with requests from infected machines or already taken offline by other concerned parties. Another possibility is that they’re decoys to send parties like ISC and anti-virus vendors on a wild goose chase.

After getting no response to its pings, the virus moves on to the business of replicating. To Ullrich’s surprise, this MyDoom variant does more than cull a local Web cache for potential e-mail addresses to target, as previous variants had. It goes out and searches Google, Yahoo, Altavista and Lycos for e-mail address in a given domain (such as @nww.com). The number of search queries generated by the virus results in a denial-of-service (DoS) attack against Google (both in the U.K. and for many users in the U.S.) and also affects the performance of the other three engines, according to reporting from Keynote Systems  on the day of the attack.

MyDoom’s interference with Google came on the same day the company announces an expected stock price for its upcoming IPO. But Ullrich doesn’t think the virus was targeting Google. “The distributed DoS is an unintended side effect,” Ullrich says. “It wouldn’t use four or five search engines if it were going to try to take one down.”

As Ullrich pores over access logs and code from this MyDoom variant, one might picture him sitting in a high-tech data center with rows of terminals and huge monitors. In reality, this key outpost in the global fight against Internet crime is a cluttered office in a spare bedroom of his white, two-story house in a quiet neighborhood outside Boston. SANS Institute is headquartered in Bethesda, Md.

There are two desks, one for him and one for his wife, a high-tech consultant. Ullrich’s desk has a box on it that one of his two cats likes to lounge in while he works. A rack holds computer CDs and music discs from a range of artists including Enya, Bach and The Grateful Dead. A red punching bag nearby comes in handy for those really stressful days, Ullrich says.

He is the only full-time staffer among the 30 ISC handlers who span the globe and are on duty 24-7. The rest are volunteers who take turns watching over the Internet. Most have other jobs and aren’t expected to be awake for their entire 24-hour shift. All the ISC handlers have technical backgrounds with varying specialties.

Ullrich’s other SANS responsibilities include overseeing its Web sites. Throughout the day, Ullrich’s cell phone vibrates on the desk, signaling a new text message alert from the SANS Web servers. They were getting overloaded with traffic from folks looking for MyDoom information.

Data comes into the ISC via a form on its Web site or through D-Shield, a service Ullrich developed that collects and analyzes firewall logs for suspicious activities including port scans. For the interesting stuff that comes in, ISC’s goal is to help mitigate the damage in any way. For viruses, that means helping identify signatures for stemming the tide. For malware, it could mean contacting ISPs to shut a site down or contacting the proper authorities when crimes have been committed.

The week before the MyDoom-O outbreak, someone had sent ISC a file containing user names and passwords that were collected by a key-logging worm that recorded anything a user entered into a site he accessed with secure HTTP. In May, a file with 10,000 account numbers was dumped into ISC’s lap.

“We try to close the loop with the sites involved,” Ullrich says of such sensitive information “It’s about public awareness, too.”

Each on-duty handler posts a diary entry detailing the interesting items of the day. On slow days, they’re written up at the end of the shift, but on days like this, the diary is being constantly updated with new information as it’s discovered. Ullrich’s diary from July 26 can be found here .

Despite ISC’s hard work and dedication, their efforts are not always successful. An attempt to track malware might only lead to a hacked machine that is acting as a relay, not to the author. “Sometimes it’s easier to follow the money trail,” Ullrich says. Many of today’s viruses are written to make a profit (either by sending spam or stealing information). “The hard part is getting the money transferred.”

Even the money trail can go cold or lead to a wall. There’s a group in Russia that is pretty well known, but the Russian Mafia most likely protects them, Ullrich says.

Phishing expeditions could be better contained, but many corporate sites aren’t interested in fighting back. “At the end of a phish, they usually redirect you to the real site,” Ullrich explains. “You could sniff for when that happens and pop up a warning to users telling them they’ve been scammed.”

He adds that some phishing e-mails use the actual graphics from the site being spoofed (like the PayPal logo), so the legitimate site could check the referral and replace the graphic with a warning.

In the case of the MyDoom-O, Ullrich and other handlers received it like any typical user: in an e-mail in-box. The virus spreads either as a faked bounce-back message or as a note from a system administrator claiming the targeted user was sending spam and the attached file would fix the problem. “It’s the usual antics,” Ullrich laments, adding that SANS doesn’t automatically strip out all suspicious attachments because it wants to investigate the new stuff coming in.

Ironically, when he first saw the faked bounce messages in his in-box, he thought they were real and simply the normal e-mail errors ISC receives as part of the D-Shield service.

Ullrich’s analysis shows that the requests MyDoom makes to the search engines do not stand out in any way from a regular request, meaning the affected search engines cannot just set up a filter to block queries coming from the virus. It also mimics the version of a Web browser installed on the infected machine to help blend in with everyday HTTP requests. Early on, Ullrich changed his router’s IP tables to limit outgoing traffic from his “infected” machine. With an estimated 300,000 infected machines, Ullrich doesn’t want to be piling on the affected search engines as he does his investigation.

Within a few hours of the initial infections, the major anti-virus vendors have released updated signature files that will detect the virus. But ISC handlers keep working to figure out everything the virus might do. “One problem with some of the anti-virus vendors is they only look at the [virus] signature, once they reverse-engineer it to get the signature, they’re basically done,” Ullrich says.

He has uploaded the code to the ISC “zoo,” an FTP site where handlers share interesting code so others with expertise in viruses can help in the investigation.

MyDoom is only 30K in size, but most of the code is binary. Ullrich opens the file with a text editor to look for human-readable strings that might provide more insight into how the virus works and its intended purpose. It appears as if the virus looks for the string “_AT_” (a common way to print an e-mail address in an effort to avoid spam bots) in its search for potential e-mail targets. There’s also a list of e-mail addresses it won’t send to, such as anti-virus vendors, Hotmail or Yahoo accounts.

The virus author also put in very explicit fake e-mail headers to try to avoid spam detectors. “It fakes like it is sending from Outlook Express with a practical version number,” in this case 6.00.2600.0000, Ullrich says.

Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react. He suspects a certain ping sequence or HTTP header code is needed to awaken the virus.

“It’s amazing how these virus writers get such small code,” Ullrich says. “They should be working for some of the commercial code vendors.”

By 4 p.m. EST, all the affected search engines seem to be fully functional, and infected machines around the globe are being cleansed. Ullrich plans to spend a few more hours trying to decode the virus’s true intentions before calling it a night. His efforts paid off. The day after the initial outbreak, ISC and others discovered MyDoom-O dropped the Zindos.A backdoor on infected machines, which could be used in a DoS attack against Microsoft.com.

There’s a joke among the handlers about who best takes care of the Internet when on duty. “Guess I didn’t do well today,” Ullrich says with a smile.