As predicted, Doomjuice and Deadhat, two attacks against PCs already compromised by MyDoom, were soon released, i.e., if you contract either of these, your machine has MyDoom and you just don't know it. Three weeks after the MyDoom attack, which initially infected some 2,000,000 PCs, about 50,000 or 75,000 PCs remain infected. Doomjuice and Deadhat use that base as a launching point, but fortunately they are not particularly imaginative in their exploit targets at they continue the attack on Microsoft and SCO.

Let me lay out the scenario that I might use. (You can read the excellent article, "The Virus Underground" in the 8 February, 2004 New York Times to see where I would go to get some of my tools.) While the article has scrolled off into the archives, I have found it in PDF and text elsewhere.

As an average terrorist, I am less skilled that the average script kiddy that launches so many of the attacks. I need a source for skilled tools so I visit sites maintained by brilliant, often young thinkers that write them as an academic effort and post them to their websites -- which is where most of the script kiddies get them, along with a series of message boards that traffic in these things.

I read up on the writings of the good anti-virus and security writers, track the Black Hat conference proceedings (but don't attend as the feds monitor who shows up and tech firms try to recruit) and other sources, locate some of the many sources for thoughtful malware and autogenerators. Then I plan the architecture of the attack down to the social engineering aspects most attractive to my attack (if I am using a virus) as a worm runs by itself.

I study the infection paths and timing of other great releases. I look for the bugs that limited their spread (such as in MyDoom.b which greatly limited the DDOS attack on MS).

I would investigate the record of any target site in dealing with prior attacks and what level of sysadmin skills they have in dealing with computer threats. I may or may not probe a target site myself as I do not want to show my hand as, if the sysadmin is really good, they will watch me and see what I am up too while they try to identify me.

Then I sort out a primary and secondary, and with a little foresight, a third wave of infection. (After all, al Qaeda loves redundancy.) I download what I need from various sites, make minor modifications and I am ready. I may have even tested my attacks against a local net that is isolated by various hardware and software firewalls so that I can prevent infection to the outside world that would give away the element of surprise.

Of course, I will launch my secondary and tertiary attacks while the infection is still high on the first and so offers a larger launching platforms. My second attack could be against the anti-virus firms themselves (variation of the 'shoot the fireman' attack.)

Now the bad guys -- and you -- are off to the races. And another bite is taken out of infrastructure protection.

New viruses feed on MyDoom infections
By Robert Lemos
CNET News.com
February 9, 2004, 4:45 PM PT