Case Study: MyDoom and Klez Mike is your average, middle-aged, self-employed American entrepreneur, operating a professional recruiting business out of his home office. He was the victim of a very aggressive worm a few years back that almost got him into big trouble. At the time of the attack Mike still had two teenage boys living at home; that meant three computers in the house. When his oldest son was home from college he added another computer to the mix. The family used broadband internet and between all of their busy lives, someone was almost always on-line 24 hours a day.

The family had a standard brand-name router with a built in firewall, but their limited knowledge prevented them from configuring it correctly. After a few failed attempts they disabled the firewall and installed a popular software firewall instead. They assumed everything would be fine, and it was for a while, but eventually trouble found them in a big way.

Mike began noticing his computer speed was slowing down but didn't think much of it. He had just made the jump to Windows XP and figured it was something in the operating system he hadn't learned about yet. However, it kept getting slower and slower until it began interrupting his work. Mike used several VPNs in his business and it was becoming impossible to connect to them in a reasonable length of time. Mike also noticed his antivirus scans were taking twice as long while his defrag went from a couple of hours to an overnight ordeal. Asking his son's about their computers, Mike found they were exhibiting some of the same symptoms. It was time to have it looked at.

Repair began with the main machine since it was needed for business. A cursory scan revealed two main problems; both the MyDoom and Klez worms were found on the machine. The tech knew however, that these two worms shouldn't produce the extreme symptoms his client was experiencing, so he set up the computer in the shop and did some forensic analysis. What he found was a surprise to everyone.

One or both of the worms had opened backdoors on Mike's machine that were then exploited by a porn distributer, probably based in Russia. Mike's computer had been hit and turned into a zombie machine that allowed the attacker the ability to send spam and distribute material without his identity being known. Mike's computer was storing some of the material and publishing its own IP address to make it appear as though it was the original host. The tremendous amount of traffic flowing through his computer and internet connection was rendering the machine virtually unusable. On top of that, the MyDoom worm was programmed to block access to the websites of major antivirus vendors like Norton and McAfee, so updates were not retrieved that would have detected and removed MyDoom and Klez.

In the shop the repair tech downloaded removal tools for both worms and applied them immediately. He then had to go through and manually repair the Windows registry as both worms altered it significantly. Finally, he had to remove the unwanted material stored on the hard drive and close all the backdoors opened by MyDoom. By this time Microsoft had issued a security fix for both worms, enabling the backdoors to be closed with very little effort.

Next, it was on to the other machines which also had both worms. Their symptoms were not as severe since they had not been made zombies, and their repair was much easier. Upon completion there was but one question left: where did they pick up the two worms from?

Though it couldn't be proven conclusively, the evidence pointed to the file sharing service Kazaa, which both sons used extensively to download music. MyDoom and Klez both ran rampant through the Kazaa network because every day computer users ignorantly disabled their security features to use it. Mike's sons were no different. When they wanted to connect to Kazaa they simply disabled the software firewall, allowing all traffic to move freely. To make things worse, they often started downloads before they went to bed and left the computer running and connected all night long.

The technician was a good friend of Mike's so he felt comfortable in giving the family a much needed scolding. He reminded them of the dangers of using P2P networks, especially file sharing sites, and the foolishness of disabling the firewall. He also configured the firewall for them and taught them how to do it themselves.

ZSecurity's firewall is a great weapon in the fight against backdoor attacks like Mike's family faced. It can be configured to monitor all traffic, exclude certain sites or domains, and a host of other things to help secure your machine. Get ZSecurity and make sure you use the firewall. You don't want to be the next case study!