Forgot your password?
typodupeerror
Caldera

MyDoom Windows Worm DDoSing SCO 694

Posted by CmdrTaco
from the now-thats-just-not-cool dept.
We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.
This discussion has been archived. No new comments can be posted.

MyDoom Windows Worm DDoSing SCO

Comments Filter:
  • by corebreech (469871) on Tuesday January 27, 2004 @09:43AM (#8098803) Journal
    Given their history of underhanded dealings this wouldn't surprise me one bit. This attack only helps SCO. They get sympathy. What do the worm writers get?

    Nothing.

    • by markom (220743)
      If worm writers work for SCO -- everything :-)
    • by Saven Marek (739395) on Tuesday January 27, 2004 @09:47AM (#8098845)
      ...they get to give SCO a great fat middle finger

      No, not all of us support actions like this against SCO. It does drag people down to their level acting like this, but in the end, frustration does that to people. Not everyone, but some.

      SCO has now, for a full 12 months, made threat after threat, claim after claim, that they can't backup, but there's no way to stop them. People get frustrated by their continuous whining.

      A fly buzzing around my head annoys me. Usually, I'll slap it and kill it. That's taking me down to far below its level, but it's satisfying. Given several hundred million people annoyed with SCO, I'm surprised more haven't acted this way towards them.
      • by pjrc (134994) <paul@pjrc.com> on Tuesday January 27, 2004 @10:48AM (#8099443) Homepage Journal
        Since Mydoom has been identified as a variant of Mimail, which is largely believe to have been written on behalf of spammers and/or paypal scammers (apparantly in Russia), the most likely scenario is that the same group created Mydoom.

        The attack on SCO is most likely just a diversion. A simple distraction from the actual goal... to turn millions of machines into zombies which can be used to conduct illegal activities (phishing scams), or can turned into email/spam relays to be sold to spammers.

        It's already been established that Mydoom installs a backdoor and allows routing of tcp/ip connections to mask the identity of the originator. More or less exactly what scammers hoping to defraud ordinary people of banking details (phishing) need. Also the standard approach to turning machines into a valuable asset that can be sold to spammers in need of mail relays or "bulletproof hosting" for their websites that host the images all those spam messages reference.

        Attacking SCO is a smart diversion.... especially if SCO takes the bait and publishes a flamebait press release (seems almost certain), which will of course provoke a response from the free software / open source communities. Lots of free press to help divert the anger of millions of (clueless) victims towards the very visible open source and free software people, and SCO, and away from the real criminals.

        Judging from most of the comments here on Slashdot so far, it appears to be working perfectly.

    • by Simon Lyngshede (623138) <simon.spiceweasel@dk> on Tuesday January 27, 2004 @09:49AM (#8098873) Homepage
      Well maybe they didn't write it, but Im sure there is some SCO code in it.
    • But, damn it! (Score:3, Interesting)

      by Short Circuit (52384)
      This is going to be a serious blow to the moral credibility of the OSS community, not just Linux users.

      We seriously need some sort of petition stating we do not support Linux or OSS, but not underhanded tactes like DDOSing and viruses.
      • Re:But, damn it! (Score:3, Interesting)

        by bhtooefr (649901)
        You mean we do support Linux and OSS, not we do not support Linux or OSS, right?

        It's at http://petitiononline.com/dontddos
      • Re:But, damn it! (Score:5, Insightful)

        by gaijin99 (143693) on Tuesday January 27, 2004 @10:18AM (#8099119) Journal
        This is going to be a serious blow to the moral credibility of the OSS community, not just Linux users.
        It is only a threat to our credibility if we allow it to be. I'm *REALLY* not trying to derail into an abortion debate here, but its the best example I can think of. The anti-abortion movement, in general, doesn't support clinic bombers and assissins; but clinics still get bombed and doctors still get murdered. So far the anti-abortion movement has quite successfully managed to avoid the actions of this group becoming a blow to their own moral credibility.

        I'd recommend that we on the side of Free Software study the anti-abortion tactics with dealing with such incidents. The first, and most obvious step, is one that was taken last time: immediate and honest sounding disavowel of the actions of the DOSer. Its going to get old for RMS, ESR, Linus, Perens, etc continuously getting out and saying the same thing ("We don't support this, its wrong. We're still right, but the virus writers aren't with us, etc, etc, etc"), but it needs to happen.

        I honestly don't know what the other successfull tactics are. I need to study how the respectable majority in the anti-abortion movement deals with its nutbags. Can anyone think of other movements with similar problems that we should look into?

        • Re:But, damn it! (Score:3, Insightful)

          by roystgnr (4015)
          Can anyone think of other movements with similar problems that we should look into?

          The Palestinians, maybe? They're not all suicide bombers, but some people don't seem to make the distinction. The lesson there seems to be to stay the hell away from morally questionable leaders (like Arafat), because your whole community will be tarred with the same brush.
      • by TamMan2000 (578899) on Tuesday January 27, 2004 @10:29AM (#8099248) Journal
        I think that this is a great opportunity for members of the OSS comunity to "put their money where their mouth is" so to say...

        I propose that the we work on a patch for this worm and get it out there ASAP, that way only tin foil hat wearing goofballs will believe we are behind this...
        • by HopeOS (74340) on Tuesday January 27, 2004 @12:33PM (#8100707)
          Any attempt to involve yourselves in this will be viewed as complicit behavior. Do not get this mess associated with Open Source developers in any way, shape, or form. The culture and purpose of worm authors and OSS developers are completely orthogonal and must remain so.

          SCO has enough enemies to worry about, and they can point fingers all they want. They do not deserve an olive branch, they did not ask for one -- do not take the bait and proactively offer one. You will lose fingers.

          -Hope
    • by Vintermann (400722) on Tuesday January 27, 2004 @09:56AM (#8098933) Homepage
      I think the real purpose of this worm is to enable spammers to work more comfortably and safely. The attack at SCO conveniently distracts attention from this, and on to the spam-hating linux community.
    • by ConversantShogun (227587) <dengel.sourceharvest@com> on Tuesday January 27, 2004 @09:58AM (#8098953)
      It does seem odd that the worm has a trigger to stop spreading on Feb 12. If SCO were to unleash a self-attacking worm, wouldn't they likely include such a provision?
    • Don't forget about the proxy/backdoor that this installs:

      The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.

      Why would SCO include a backdoor? And why would the people attcking SCO include a backdoor? Worms like Gibe.x have used multi-loaders and have been connected with spam

    • by TedCheshireAcad (311748) <tedNO@SPAMfc.rit.edu> on Tuesday January 27, 2004 @10:20AM (#8099141) Homepage
      This attack only helps SCO. They get sympathy. What do the worm writers get?

      Sir, it is obvious you have little to no understanding of the 1337 script kiddie culture. In exchange for a DDOS attack, the worm writers get something called mad pr0pz, which is a form of honor and integrity among those in the community.
  • by Anonymous Coward on Tuesday January 27, 2004 @09:43AM (#8098807)
    Maybe theyll change their domain name like M$ did to bastards.sco.com instead of sco.com/bastards
  • by r0xah (625882) on Tuesday January 27, 2004 @09:44AM (#8098812)
    This may not be the most appropriate way to attack SCO, but after all the FUD they have released and the actions they have taken it puts a smile on my face to see something like this come about. I hope their server gets toasted. Bring on the worms!
  • Workers (Score:5, Interesting)

    by turtlexit (720052) on Tuesday January 27, 2004 @09:44AM (#8098815)
    SCO ought to start getting hit hard today as office workers and the like start checking their email today starting around 9 Eastern, and running the virus. It'll be interesting to see what SCO's reaction will be. Almost like the calm before the storm ;-)
  • by Bigman (12384) on Tuesday January 27, 2004 @09:45AM (#8098827) Homepage Journal
    Lol
    Seriously, its is a shame, it will only fuel Darl's paranoia.
  • by nathanh (1214) on Tuesday January 27, 2004 @09:46AM (#8098831) Homepage

    I thought the worm was set to start the DDOS on February 1. So why is SCO showing a DDOS right now?

    Was the February 1 thing made up? I've not yet received the virus in my email so I can't check the code for myself.

    Or (I consider this more plausible) has SCO taken their own site down with the intention of blaming the "Linux terrorists", but they stupidly took it down 3 days too early.

    • by T-Punkt (90023) on Tuesday January 27, 2004 @09:52AM (#8098891)
      I asked that myself.

      Could be some PCs with badly set clocks. Well, you know those windows users, they don't set their system clocks, have 00:00 blinking on their VCRs, use outlook and click on every fscking single attachements that made it into their mailbox.

    • by julesh (229690) on Tuesday January 27, 2004 @09:53AM (#8098905)
      I've not yet received the virus in my email so I can't check the code for myself.

      Good god, man, don't complain when you've been that lucky. I got into the office this morning to find 550 unread messages, mostly copies of this, or messages saying that copies I had supposedly sent hadn't been delivered...
      • by crawling_chaos (23007) on Tuesday January 27, 2004 @09:57AM (#8098948) Homepage
        I got into the office this morning to find 550 unread messages, mostly copies of this, or messages saying that copies I had supposedly sent hadn't been delivered.

        Preach on, brother. I wish some sysadmins would get a clue and realize that with viruses spoofing the From: address, there is no fscking point in sending the "you sent me a virus" panic mail. All it does is bother the wrong people.

        • by mattdm (1931) on Tuesday January 27, 2004 @11:02AM (#8099581) Homepage
          I wish some sysadmins would get a clue and realize that with viruses spoofing the From: address, there is no fscking point in sending the "you sent me a virus" panic mail.

          I've been trying to complain to admins about this ever since Klez. You wouldn't believe the abuse I've gotten back -- and I've been very polite and nice. Generally, sites feel that it's adequate to add the newly found spoofing viruses to a don't-mail-notices blacklist after it's "realized" that yet another one can't be trusted. GET A CLUE, people -- you can't trust *viruses* at all.

          The *real* problem is the antivirus software -- notices should only be sent for "known honest" viruses -- if at all. There should be *no* option to send these notices by default. But the antivirus companies *love* this -- they get to send out *millions* of advertisements for the effectiveness of their product, and no one is allowed to call it spam -- even though it *is*.
        • by fishbert42 (588754) on Tuesday January 27, 2004 @11:28AM (#8099878)
          ... there is no fscking point in sending the "you sent me a virus" panic mail.

          Actually, there is... but in sending an email to others who know your email address. For example, I got 3 messages yesterday which contained this virus. Now, from what I understand, this worm pulls email addresses from one's computer, and sticks those addresses in the 'from' field. One of those emails I received was "from" the United States Air Force Band's Singing Sergeants Yahoo Group. That's pretty specific, so I sent everyone I know (who runs windows) a message saying, basically, that if you know of the Singing Sergeants, or these few other email addresses, then it's likely you have this worm.

          Sending a "you gave me a virus" email to whomever is in the 'from' field is pretty useless, but the above tactic may prove helpful for this particular worm. At the very least, it lets other (possibly less-informed) folks know there's a worm about, and reminds them to practice good email usage (not opening unexpected attachments, etc.) and to update their anti-virus software.
    • I thought the worm was set to start the DDOS on February 1. So why is SCO showing a DDOS right now?

      Due to the speed of the modern information infrastructure, and the method by which this virus distributes itself, a considerable number of copies will have crossed the international dateline several times during transmission. For these, it is indeed February 1st, and therefore these viruses are functioing correctly. Of course a similar number will have crossed in the other direction, so we can expect to see

  • by G4from128k (686170) on Tuesday January 27, 2004 @09:46AM (#8098840)
    Seems like this is Linux's ultimate weapon of mass destruction because:

    1. The virus makes M$ operating systems look bad.
    2. The DDoS attack goes after every Linux lover's most hated target, SCO.

    But I do feel sorry for the people forced to used Windows by PHBs or who are novice users that don't know better than to run e-mailed executables.
  • by Captain Kirk (148843) on Tuesday January 27, 2004 @09:47AM (#8098841) Homepage Journal
    Within a week, Darl will be equating Linux developers with virus writers - "both are called hackers and both hate me" he'll say and some 'respectable' journalists will report it as true.
    • The majority of Linux installations are as servers. No one can equate Linux with virus-writers, without risking their credibility.

      In fact the case could be made that virus-writers are expert Winduhs developers...

  • ed (Score:5, Funny)

    by ballpoint (192660) on Tuesday January 27, 2004 @09:47AM (#8098843)
    but it's always sad to watch someone stoop to this level

    s/is/eir

  • by Anonymous Coward on Tuesday January 27, 2004 @09:47AM (#8098847)
    FFS, if you know that a worm forges the sender address, DON'T send bounces to that address. Worms are relatively easy to filter, but the crap from the virus-scanners comes in seemingly endless variations. Some even have the nerve to advertise their anti-virus solution, followed by a copy of the worm-mail, binary attachment included. Yeah right, moron, you just sent a copy of the worm to me and you expect me to buy your anti-virus product???
    • by rar (110454) on Tuesday January 27, 2004 @11:37AM (#8099973) Homepage
      I agree; people writing worm filters that bounce to forged addresses are as bad as their worm writing counterparts!

      I mean, what happens when user 'joe' gets a couple of "WARNING: You sent me a virus" in their email? They come running to me "just to make sure", and I will have to explain for them how the email protocol works... AGAIN... sigh... for, what is it, the 10:th time that day.

      Here is a hint to people writing these crappy anti-virus/worm filter: make sure you **ONLY** send a bounce IF the detected virus is on A **WHITELIST** for viruses that always send themselves WITHOUT A FORGED SENDER ADDRESS. If you send *any* other bounces, you are a part of the problem -- not the solution...
  • Maybe, maybe not (Score:5, Interesting)

    by AndroidCat (229562) on Tuesday January 27, 2004 @09:47AM (#8098851) Homepage
    It's still unclear what the real goal of this worm is. While it does DDoS SCO, it also installs a proxy that can be used by spammers. Long after sco.com is smoking rubble, this will probably be relaying Make P3n1s Fast! spam.

    It's too early to call this one. Relax and pass the popcorn.

  • ummmm a good virus? (Score:3, Interesting)

    by k.ellsworth (692902) on Tuesday January 27, 2004 @09:48AM (#8098854)
    is actually, nice to have SCO.com messsed around. just because they will be forced to use LINUX/APACHE to survive the attack... i guess SCO stock will fall, again just because will be needing to hire akamai server just like microsoft did. linux to save their enemies. ironic
  • ...millions of people checking sco.com to see if it's still up? or...
    ...computers with clocks that aren't set correctly? or...
    ...the virus analysts misinterpreting the taskmon.exe when they decompiled it?
  • by orty78 (707288) on Tuesday January 27, 2004 @09:48AM (#8098859)
    This is very similar to the SETI@Home project. I'd like to try it out and run it for a while. How and where do I sign up?
  • Conspiricy! (Score:3, Interesting)

    by The Real Chrisjc (576622) * <slashdot.amoose@com> on Tuesday January 27, 2004 @09:48AM (#8098861) Homepage
    Maybe this is all just a big conspiricy by SCO to make the open-source community seem like a bunch of immature wotsits? I mean, think of all the positive sco publicity they could milk out of this, not to mention maybe using it in the courts? Trying to associate the open-source community with the scum that writes virus' and worms etc.

    I'll put my tin-foil hat on now I think. .

    Chris
  • by no_nicks_available (463299) on Tuesday January 27, 2004 @09:48AM (#8098866)
    the DOS isn't supposed to start until Feb 1. Maybe this is related to some sort of network "hardening" in preparation. More info [symantec.com]
  • by mewyn (663989) on Tuesday January 27, 2004 @09:52AM (#8098884) Homepage
    I hate SCO as much as the next guy, but doing a DoS attack on them is not the answer. Sure, they are a bunch of low-life scumbags that want to lock up everything, and have a chunk of the profit, but doing massively illegal acts like this make the whole OSS and free software communities look like a bunch of script kiddies. This makes it very hard for us to take the moral high-ground here when it looks like we are doing this crap.

    Mewyn Dy'ner
  • by CaptainAlbert (162776) on Tuesday January 27, 2004 @09:52AM (#8098890) Homepage


    Seems like it's about time SCO came up with a new business model. Here's my suggestion:

    FROM: Mr. Darl McBride
    Santa Cruz Organisation
    Lindon, Utah

    Dear Sir:

    I have been requested by the Santa Cruz Organisation to contact you for assistance in resolving a matter. The Santa Cruz Organisation has recently concluded a large number of dubious security trades. These pump-and-dump operations have immediately produced moneys equalling US$75,000,000. The Santa Cruz Organisation is desirous of setting up business in other parts of the world, however, because of certain regulations of the U.S. Government, it is unable to move these funds to another region.

    Your assistance is requested as a non-U.S. citizen to assist the Santa Cruz Organisation in moving these funds out of the U.S. If the funds can be transferred to your name, in your Swedish account, then you can forward the funds as directed by the Santa Cruz Organisation. In exchange for your accomodating services, the Santa Cruz Organisation would agree to allow you to retain 10%, or US$7.5 million of this amount.

    However, to be a legitimate transferee of these moneys according to U.S. law, you must hold at least one license for Santa Cruz Organisation Intellectual Property, which are available at a cost of US$699.

    If it will be possible for you to assist us, we would be most grateful. We suggest that you meet with us in person in Lindon, and that during your visit I introduce you to the representatives of the Santa Cruz Organisation.

    Please call me at your earliest convenience. Time is of the essence in this matter; very quickly the U.S. Government will realize that the Federal Reserve is maintaining this amount on deposit, and attempt to levy certain depository taxes on it.

    Yours truly, etc.

    Darl McBride

  • Funny, I think: (Score:5, Informative)

    by cockroach2 (117475) on Tuesday January 27, 2004 @09:53AM (#8098898) Homepage
    On the bottom of the netcraft report you can see an OS history of www.sco.com - apparently they switched from SCO UNIX to Linux in August 2002...
  • by Artifex (18308) on Tuesday January 27, 2004 @09:53AM (#8098899) Journal
    SCO's Information Ministry can just point to this and claim more evil Linux users are trying to destroy the software business, etc.

    We're right, and we know it. No self-respecting geek would stoop to participating in a DDOS in general, not to mention one against someone/something we consider to be morally bankrupt. We know that we can only claim the moral high road only if we actually stick to the high road... right?

    It would be really interesting to find out if it's just some kids behind it, who aren't aware of the difference between right and wrong, or whether it's an entity who has a vested interest in making us look bad...

  • by teamhasnoi (554944) <teamhasnoiNO@SPAMyahoo.com> on Tuesday January 27, 2004 @09:54AM (#8098913) Homepage Journal
    Does this virus use Outlook Express to infect others or does it have it's own mail implementation? I've been looking around and see no mention.

    I'd like to know how worried I should be about Windows machines with Thunderbird installed.

    This may be the last straw. I've been thinking about moving all 3-4 of my work machines (p200) to Beos with Fire/Thunderbird and Gobe Productive - I'm tired of the viruses, and I'm tired of maintaining Windows.

  • by Theovon (109752) on Tuesday January 27, 2004 @09:56AM (#8098927)
    This virus was probably written by some dingbat who KNOWS what kind of harm it will cause to the Free Software community.

    Yeah, I know it's far fetched, and probably untrue, but some people need to grow up and realize that the only useful weapons against SCO are FACTS.

    Either that or a big budget with which to purchase them... but their IP is so worthless, who would buy them? :)
  • The SCO Conspiracy (Score:3, Interesting)

    by Hackie_Chan (678203) on Tuesday January 27, 2004 @09:56AM (#8098928)
    That's pretty funny: If SCO claims this virus contain portions of their code -- they could sue the pants off everyone who has the virus on their machines. Imagine milions and millions of people who have illegally obtained their property on to their machines... They could make riches off of this!
  • by Zocalo (252965) on Tuesday January 27, 2004 @09:56AM (#8098934) Homepage
    According to the various AV vendors the worm isn't due to start the DDoS of sco.com until February the first, which seems to be a fairly unanimous opinion. If that's right then that spike on NetCraft's graphs isn't the DDoS, it's just all the people who read AV stories and alerts on the AV and News sites clicking on links - nothing more than a generalised Slashdotting.

    The people who read these AV stories do not represent the "average" user who is more inclined to fall for the worm's social engineering. Nor would they be opening the "63 connections per second" to sco.com being touted by the AV vendors for that matter. I suspect that blip is going to pale into insignificance compared to the amount of traffic they are going to get come February. It's a fair bet that SCO will be denouncing the "Linux hackers" as being the culprits in numerous press releases as well, they may be right on that, they may not, but it's sure as hell going to get them a lot of sympathy.

    This isn't going to help OSS's case at all, and the only saving grace is the February 12th cut off. Then again, I've yet to see anything about what happens to the port the worm listens on come the deactivation date, or what instructions that port might accept.

  • by herrvinny (698679) on Tuesday January 27, 2004 @09:58AM (#8098951)
    MyDoom Windows Worm DDoSing SCO

    But it's not DDOSing now. The attack is set to begin February 1st and end on the 12th.

    The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.... The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded.

    I'm thinking, wow, whoever wrote this covered all the bases. He/She even got the Kazaa people.

    Anyway, why don't ISPs, just for the time being, ban connections to SCO.com? It's not like it's a huge Internet portal or anything, and us geeks who actually need access to the site can just set up a mirror or something.
  • DDoS (Score:4, Informative)

    by savagedome (742194) on Tuesday January 27, 2004 @09:58AM (#8098956)
    Note that the DDoS attack is timed to be performed between 1st and 12th Feb, 2004 [ca.com].
  • Please tell me... (Score:3, Interesting)

    by Dave2 Wickham (600202) * on Tuesday January 27, 2004 @10:01AM (#8098967) Journal
    "A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.


    Please tell me I'm missing a whole load; most of the strings found in the binary are readable after de-UPX [sourceforge.net]-ing, then ROT13ing. About half are ROT13d, half aren't.

    Ah well, I'm probably totally wrong, but it just sounds odd.
  • by Trygve (75999) on Tuesday January 27, 2004 @10:02AM (#8098977)
    So their hipocracy has repeatedly been pointed out in their claims of the GPL being an illegal economy killer while they use Samba3. But I'd never noticed it being pointed out that they're using Apache (not GPL, granted, but still an open source license nonetheless) for their web server, and as recently as December 12 (according to the Netcraft link in the story) have been running it on Linux. I know I shouldn't be surprised, but c'mon ...
  • Anyone antisocial and misdirected enough to spend effort writing software that does damage cannot have enough of a sense of wrong and right to give a damn about the SCO case.

    This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero.

    Well, you stupid ignorant bastard, if you're reading this, and you probably are since you expect that the Slashdot hordes will applaud your bravery in damaging thousands of people's computers, NO ONE ADMIRES YOU. We spit on you, you're the bastard offspring of a lemming and a hamster and your mother had a beard!

    With enemies like this SCO hardly needs friends. Anyone who wants to see SCO suffer for the wrongs they have done should unequivocally condemn such acts of terrorism. SCO will be broken by the weight of justice and right, not by mindless thugware.
  • So sad (Score:5, Funny)

    by Pedrito (94783) on Tuesday January 27, 2004 @10:15AM (#8099094) Homepage
    Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.

    Yes, it makes me very sad. Can someone hand me a hanky? I think I need some alone time to cry about this.
  • well-deserved (Score:4, Interesting)

    by Tom (822) on Tuesday January 27, 2004 @10:19AM (#8099128) Homepage Journal
    Is this ethical? No.

    Do the deserve it? Yes.
    Have they been asking for it? Absolutely.

    SCO aren't only the bully, they are the bully who has the rules on his side. "The system" is pretty guilty of aiding and supporting their dirty tricks. So it was only a matter of time until someone stepped outside the rules to get even.

    Actually, I'm surprised it's just a small DDoS. I'd have more expected that their LAN gets wasted.

  • by holy_smoke (694875) on Tuesday January 27, 2004 @10:20AM (#8099137)
    "if you have to become evil to fight evil, why are you fighting it?"

    As much as I think that the SCO leeches are slimy forked tongue greedy selfish two-faced hypocrit lying b@stards, I have to say that those folks who are purposefully attacking them are only helping their cause and hurting the perception of the open source community.

    Let them kill themselves. The industry is aligned against them, and you can bet they will castrate them before its over.
  • Hey Bill (Score:4, Interesting)

    by Ashtead (654610) on Tuesday January 27, 2004 @10:26AM (#8099223) Journal
    So now we have some vast number of Windows machines of different vintages being hijacked and spreading this shite all over.

    Now, I recall, the other day Bill Gates wowed to kill spam and worms, and now this? Looks like he has his work cut out for him there....

    This has gotta be the Nth time I've seen reports that a worm has put an executable file into an area of the system that really should have been off-limits to anything not really needing to go there. So what does an E-mail program have to do of meaningful work in the OS code directories? Beats me...

    I can offer a hint to Mr. Gates: Rework Windows so that it not only does not require Administrator rights to operate normally, but actually disallows certain operations when being Administrator as well. Such as running browser or e-mail programs.

    Make sure no ordinary users can run processes that can write anything at all into the areas not set aside for that user, and the common temporary files area. I suspect there has to be some redesign, but I cannot see how this nonsense can be stopped otherwise.

  • by ChaoticCoyote (195677) on Tuesday January 27, 2004 @10:28AM (#8099236) Homepage

    Expect more associations between digital terrorism and Linux (as a catch-all media term for "free software"). The greatest threats to any revolution are:

    1. Zealots who feel obligated to use violence or destruction as an end to their means.
    2. Fools who fight the revolution because it is "fun", but who are not truly commited to the ideals.
    3. Government (and these days, corporate) infiltrators who play the two above roles in order to destroy the revolution.
    4. Power-hungry folk who bend the revolution to their own ends.

    I strongly suggest people become more familiar with how government and industry have undermined and perverted various revolutions. Start with COINTELPRO [icdc.com], an FBI campaign of the 1960s and 70s. And then read a bit of the history of the Homestead strike [pbs.org].

    From undermining the right to vote (via electronic "voting") to lying about WMDs in Iraq -- do you honestly think such people will ignore the threat posed by free software to the lucrative commercial software industry? SCO's assault on free software may only be the tip of an iceberg...

  • Mad (Score:5, Insightful)

    by Brian Kendig (1959) on Tuesday January 27, 2004 @10:34AM (#8099299) Homepage
    So far, since this worm started yesterday afternoon, I have received over a thousand worm emails and erroneous bounce messages (from mail servers who think that just because my address is on the mail that means I sent it).

    And I don't even use any Microsoft products.

    When is somebody going to file a class-action lawsuit against Microsoft for continuing to fail to address the security holes in Windows? I mean, it's been thirteen years since Michelangelo, and still all it takes for a virus to rape Windows is for a user to double-click on an email attachment.
  • by tbase (666607) on Tuesday January 27, 2004 @10:34AM (#8099304)
    I'm speaking of all of you who are saying SCO deserves it (and only those people). Do I deserve to deal with this virus BS? I have enough trouble dealing with the spam at my company, now I have to deal with this too. Viruses suck, period. Especially this one, which is forging random "from" addresses. It seems to be using #randomfirstname#@domain.extention - so now on top of the dozen or so viruses an hour I'm getting, I'm also getting bounces that I can't filter because the "to" is random. Don't bother telling me to filter out executables, I already do that. As a matter of policy, I'm the one that checks the filtered "junk" to make sure there were no false positives. It's usually about 500 a day, 1200 over the weekend. Also don't bother telling me to bounce undefined addresses. Not an option. Considering how early in the game it is for this virus, the dozen or more an hour I'm getting will probably turn into a lot more. Whoever put this out there is doing far more damage to innocent bystanders than they can ever hope to do to SCO. SCO will hang themselves eventually - the author(s) of this virus is worse than anyone at SCO.

    I do agree with those who are suspicious of the motives - I think the SCO attack is just a front to increase the spread. Some morons will undoubtedly put intentionally infected machines out there, which will be more effective as Spammer relays than as drones to attack SCO. Anyone intentionally letting a machine become infected should have the book thrown at them. It amazes me how stupid very intelligent people can be sometimes.
  • by jotaeleemeese (303437) on Tuesday January 27, 2004 @10:59AM (#8099544) Homepage Journal
    Without probe of who it was that can be construed as libel, or whatever it is called in the US.

    If SCO is attacked they should pursue this with the appropriate authorities. I hope the perpetrator is caught, brought to justice and fairly punished.

    The OSS community should be completely unambigous about this matter, illegal means have never been supported or encouraged in order to promote the aims of OSS, not only because it is immoral but also completely unnecessary and childish.

    I am appalled that the response of many around here is "SCO deserves it". No dear slashbots, nobody deserves that their resources are abussed in this manner, not even SCO. I am behind them in any action they wish to pursue against the perpetrators, but equally I hope (perhaps in vain) that they will not do false claims without the knowledge of whom and why did this.

    I am also peeved that people here are not unambigious about the condemnation of this DOS attack. This is not only illegal and immoral but also counter productive and it would be nice to see complete and unambigous condemnation of these tactics.

    Do you want to show OSS tactics and aims are reasonable and beneficial? A wonderfule way would be for true hackers organizing themselves and try to identify, shame and denounce the perpetrators of this (or any other) charade.

    Only because people have remained silent and unwilling to help the Internet, bit by bit, little by litte, is being taken away from us, but alas, we have not protected it as it deserves.
  • by JRHelgeson (576325) on Tuesday January 27, 2004 @11:07AM (#8099639) Homepage Journal
    The DDoS against SCO.com doesn't start until the infected machine is rebooted any time after February 1, 2004 at 00:00:01 and will continue until the machine is rebooted after February 12, 2004. At that point in time, the DDoS will stop and the infected host will keep its back door open - listening on ports 3127 to 3198 TCP (It only listens on one port, but if 3127 isn't available it'll listen on the next port on up the chain). Presumably, after 12 Feb, the infected machine will be used as a spam relay as the virus obviously has Message Transfer capabilities encoded within it.

    The graphs that are linked to in the /. story simply illustrate that SCO's shxt keeps on crashing - which is not really suprising after Darl had to fire the network admin to feed his Lawyer habit.

  • by unoengborg (209251) on Tuesday January 27, 2004 @11:16AM (#8099765) Homepage
    Doing DDoS on SCO just makes people feel sorry for them. They do not deserve that.

    Besides SCO doesn't need the internet as they hardly can expect to have any real customers left.

    Nowdays their business model is based purely on litegation. To my knowledge lawsuits are delivered by hand, so a DDoS would not disturb their business at all.

  • DDOSing SCO's web site only prevents the general public and groklaw.net from access to their ongoing press releases and Darl's bio -- I mean -- does www.sco.com get traffic for any /other/ reason? People checking for Openserver upgrades and enhancements?? The latest download of Skunkware?? A fresh copy of the $699. Linux Licensing form???
  • Build a Better DDOS (Score:3, Interesting)

    by GangstaLean (102189) <gangstalean@bird ... org minus author> on Tuesday January 27, 2004 @11:34AM (#8099941) Homepage
    A better DDOS would be a smtp based attack. If you flooded your enemy's MXers it would hurt them more than taking out their web site.
  • Perfect... (Score:5, Interesting)

    by Fr33z0r (621949) on Tuesday January 27, 2004 @11:44AM (#8100055)
    I got a copy of this virus before I left for work this morning, saw the mail and thought "ok, I don't know them and it's got an attachment, it's a virus", opened up the zip for a look though and saw the payload.

    "Fair enough, a new virus, I gotta go to work."

    Flash forward 7 hours to now and I can't *believe* what a great opportunity this virus has afforded me and no doubt countless others reading.

    The mailbox it was delivered to was a spamtrap, chances are spamtraps all over the world are being sent the real, legitimate IP addresses of spammers dumb enough to click malicious attachments.

    Viruses are bad, DoSing SCO is bad, but god damn, all this time we've been bitching and moaning about viruses when we could have been using them on spamtrap addresses to track down spammers to their *own* internet connection.
  • by sunset (182117) on Tuesday January 27, 2004 @01:03PM (#8101072) Homepage

    I just created and installed a Postfix remedy for this recent deluge, and thought I'd pass it on.

    In main.cf, insert this:

    body_checks=pcre:/etc/postfix/virus_body_checks

    Create a file virus_body_checks containing this:

    /^TVqQAAMAAAAEAAAA\/\/8AALg/ REJECT Microsoft executable attachments are not allowed here.
    /^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.

    If anyone has an improved solution, let me know, but this seems to work.

You don't have to know how the computer works, just how to work the computer.

Working...