MyDoom is alive, mailing, and evading AV that assumes you've upgraded

Decade-old malware MyDoom continues to be a presence in the cyber-threat landscape, spawning tens of thousands of samples every month

While the news of possible exploits using the BlueKeep vulnerability is hogging the attention of security researchers, a decade-old worm is quietly continuing to do the rounds on the internet. MyDoom, the notorious computer worm first noted in early 2004, remain a presence in the cyber-threat landscape, observed Paloalto Networks.

"While not as prominent as other malware families, MyDoom has remained relatively consistent during the past few years, averaging approximately 1.1 percent of all emails we see with malware attachments," said Paloalto blog post on the research.

"We continue to record tens of thousands of MyDoom samples every month. The vast majority of MyDoom emails come from IP addresses registered in China, with the United States running a distant second. These emails are sent to recipients across the world, mostly targeting high tech, wholesale, retail, healthcare, education, and manufacturing industries," it added.

MyDoom was first spotted in early 2004. It then progressed to become one of the top ten most destructive computer viruses, infecting two million PCs and causing an estimated £31 billion of damage.

"It's not unusual for old worms to still keep cropping up many years later. Sometimes, even a small number of infected machines can create a lot of noise," said Javvad Malik, security awareness advocate at KnowBe4.

"With so many machines and devices connected on the internet, which are rapidly growing due to IoT and other smart devices, there will always remain outdated, old, unpatched, and unmanaged devices that can be impacted by old variants of malware," Malik said. 

Legacy computer operations are a perfect example of how a decades old virus can continue to spread, said Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center.

"While it might be argued that an anti-virus solution should address this situation, often in a legacy system situation there is no current version of an antivirus solution addressing the legacy environment. In other words, the anti-virus vendors assume you’ve upgraded just as much as the operating system and application vendors have such an expectation," he said.

According to the Paloalto research, several malicious email campaigns carry MyDoom attachments across messages to hundreds or thousands of recipients. Thus, the number of samples is comparatively higher when compared to other malware distributed through email while the number of MyDoom emails is relatively low.

The percentage of MyDoom samples has been growing steadily, from 14.2 percent in 2015 to 28.4 percent in 2018. China topped in MyDoom emails in the first six months of 2019, followed by the US and the UK. China, US and Taiwan were the top three targets.

There are several reasons why old worms such as MyDoom reappear, said Sam Curry, chief security officer at Cybereason. "Old threats are often used by an attacker for a specific purpose. The threat didn't go away because they weren't any good, but rather because the attacker moved on to new techniques or ‘went out of business’," he said.

"Current techniques in use by hackers are highly pragmatic but also subject to trends and fads. Sometimes the old techniques get resurrected, especially when the race against defenders isn't going well. Pressure that is bringing more modern techniques to a standstill can be avoided if the attackers simply go where not expected: use old techniques again," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews