Forgot your password?
typodupeerror
Caldera

MyDoom Windows Worm DDoSing SCO 694

Posted by CmdrTaco
from the now-thats-just-not-cool dept.
We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.
This discussion has been archived. No new comments can be posted.

MyDoom Windows Worm DDoSing SCO

Comments Filter:
  • Workers (Score:5, Interesting)

    by turtlexit (720052) on Tuesday January 27, 2004 @09:44AM (#8098815)
    SCO ought to start getting hit hard today as office workers and the like start checking their email today starting around 9 Eastern, and running the virus. It'll be interesting to see what SCO's reaction will be. Almost like the calm before the storm ;-)
  • by nathanh (1214) on Tuesday January 27, 2004 @09:46AM (#8098831) Homepage

    I thought the worm was set to start the DDOS on February 1. So why is SCO showing a DDOS right now?

    Was the February 1 thing made up? I've not yet received the virus in my email so I can't check the code for myself.

    Or (I consider this more plausible) has SCO taken their own site down with the intention of blaming the "Linux terrorists", but they stupidly took it down 3 days too early.

  • Maybe, maybe not (Score:5, Interesting)

    by AndroidCat (229562) on Tuesday January 27, 2004 @09:47AM (#8098851) Homepage
    It's still unclear what the real goal of this worm is. While it does DDoS SCO, it also installs a proxy that can be used by spammers. Long after sco.com is smoking rubble, this will probably be relaying Make P3n1s Fast! spam.

    It's too early to call this one. Relax and pass the popcorn.

  • ummmm a good virus? (Score:3, Interesting)

    by k.ellsworth (692902) on Tuesday January 27, 2004 @09:48AM (#8098854)
    is actually, nice to have SCO.com messsed around. just because they will be forced to use LINUX/APACHE to survive the attack... i guess SCO stock will fall, again just because will be needing to hire akamai server just like microsoft did. linux to save their enemies. ironic
  • by calebb (685461) * <slashdot@be n e f iel.net> on Tuesday January 27, 2004 @09:48AM (#8098857) Homepage Journal
    ...millions of people checking sco.com to see if it's still up? or...
    ...computers with clocks that aren't set correctly? or...
    ...the virus analysts misinterpreting the taskmon.exe when they decompiled it?
  • Conspiricy! (Score:3, Interesting)

    by The Real Chrisjc (576622) * <slashdot.amoose@com> on Tuesday January 27, 2004 @09:48AM (#8098861) Homepage
    Maybe this is all just a big conspiricy by SCO to make the open-source community seem like a bunch of immature wotsits? I mean, think of all the positive sco publicity they could milk out of this, not to mention maybe using it in the courts? Trying to associate the open-source community with the scum that writes virus' and worms etc.

    I'll put my tin-foil hat on now I think. .

    Chris
  • But, damn it! (Score:3, Interesting)

    by Short Circuit (52384) <mikemol@gmail.com> on Tuesday January 27, 2004 @09:51AM (#8098878) Homepage Journal
    This is going to be a serious blow to the moral credibility of the OSS community, not just Linux users.

    We seriously need some sort of petition stating we do not support Linux or OSS, but not underhanded tactes like DDOSing and viruses.
  • by julesh (229690) on Tuesday January 27, 2004 @09:53AM (#8098905)
    I've not yet received the virus in my email so I can't check the code for myself.

    Good god, man, don't complain when you've been that lucky. I got into the office this morning to find 550 unread messages, mostly copies of this, or messages saying that copies I had supposedly sent hadn't been delivered...
  • by teamhasnoi (554944) <{moc.oohay} {ta} {ionsahmaet}> on Tuesday January 27, 2004 @09:54AM (#8098913) Homepage Journal
    Does this virus use Outlook Express to infect others or does it have it's own mail implementation? I've been looking around and see no mention.

    I'd like to know how worried I should be about Windows machines with Thunderbird installed.

    This may be the last straw. I've been thinking about moving all 3-4 of my work machines (p200) to Beos with Fire/Thunderbird and Gobe Productive - I'm tired of the viruses, and I'm tired of maintaining Windows.

  • by Theovon (109752) on Tuesday January 27, 2004 @09:56AM (#8098927)
    This virus was probably written by some dingbat who KNOWS what kind of harm it will cause to the Free Software community.

    Yeah, I know it's far fetched, and probably untrue, but some people need to grow up and realize that the only useful weapons against SCO are FACTS.

    Either that or a big budget with which to purchase them... but their IP is so worthless, who would buy them? :)
  • The SCO Conspiracy (Score:3, Interesting)

    by Hackie_Chan (678203) on Tuesday January 27, 2004 @09:56AM (#8098928)
    That's pretty funny: If SCO claims this virus contain portions of their code -- they could sue the pants off everyone who has the virus on their machines. Imagine milions and millions of people who have illegally obtained their property on to their machines... They could make riches off of this!
  • by Vintermann (400722) on Tuesday January 27, 2004 @09:56AM (#8098933) Homepage
    I think the real purpose of this worm is to enable spammers to work more comfortably and safely. The attack at SCO conveniently distracts attention from this, and on to the spam-hating linux community.
  • by Zocalo (252965) on Tuesday January 27, 2004 @09:56AM (#8098934) Homepage
    According to the various AV vendors the worm isn't due to start the DDoS of sco.com until February the first, which seems to be a fairly unanimous opinion. If that's right then that spike on NetCraft's graphs isn't the DDoS, it's just all the people who read AV stories and alerts on the AV and News sites clicking on links - nothing more than a generalised Slashdotting.

    The people who read these AV stories do not represent the "average" user who is more inclined to fall for the worm's social engineering. Nor would they be opening the "63 connections per second" to sco.com being touted by the AV vendors for that matter. I suspect that blip is going to pale into insignificance compared to the amount of traffic they are going to get come February. It's a fair bet that SCO will be denouncing the "Linux hackers" as being the culprits in numerous press releases as well, they may be right on that, they may not, but it's sure as hell going to get them a lot of sympathy.

    This isn't going to help OSS's case at all, and the only saving grace is the February 12th cut off. Then again, I've yet to see anything about what happens to the port the worm listens on come the deactivation date, or what instructions that port might accept.

  • by JumperCable (673155) on Tuesday January 27, 2004 @09:59AM (#8098962)
    Or (I consider this more plausible) has SCO taken their own site down with the intention of blaming the "Linux terrorists", but they stupidly took it down 3 days too early.

    Not that I don't think your idea is a serious possibility, but SCO is probably being slashdotted by all the people who want to see if it is down.

    Tinfoil Hat idea #3: Since this is being spread by Kazaa, perhaps the RIAA is trying to scare file traders off of the Kazaa networks but ensure the virus is blamed on someone else. SCO haters are a dime a dozen.

    Enough for now, I've got to finished rereading Catcher in the Rye.
  • Please tell me... (Score:3, Interesting)

    by Dave2 Wickham (600202) * on Tuesday January 27, 2004 @10:01AM (#8098967) Journal
    "A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.


    Please tell me I'm missing a whole load; most of the strings found in the binary are readable after de-UPX [sourceforge.net]-ing, then ROT13ing. About half are ROT13d, half aren't.

    Ah well, I'm probably totally wrong, but it just sounds odd.
  • by Trygve (75999) on Tuesday January 27, 2004 @10:02AM (#8098977)
    So their hipocracy has repeatedly been pointed out in their claims of the GPL being an illegal economy killer while they use Samba3. But I'd never noticed it being pointed out that they're using Apache (not GPL, granted, but still an open source license nonetheless) for their web server, and as recently as December 12 (according to the Netcraft link in the story) have been running it on Linux. I know I shouldn't be surprised, but c'mon ...
  • by heironymouscoward (683461) <heironymouscoward.yahoo@com> on Tuesday January 27, 2004 @10:02AM (#8098979) Journal
    Anyone antisocial and misdirected enough to spend effort writing software that does damage cannot have enough of a sense of wrong and right to give a damn about the SCO case.

    This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero.

    Well, you stupid ignorant bastard, if you're reading this, and you probably are since you expect that the Slashdot hordes will applaud your bravery in damaging thousands of people's computers, NO ONE ADMIRES YOU. We spit on you, you're the bastard offspring of a lemming and a hamster and your mother had a beard!

    With enemies like this SCO hardly needs friends. Anyone who wants to see SCO suffer for the wrongs they have done should unequivocally condemn such acts of terrorism. SCO will be broken by the weight of justice and right, not by mindless thugware.
  • by Anonymous Coward on Tuesday January 27, 2004 @10:02AM (#8098982)
    How sweet would it be to *prove* SCO is behind this.
  • by AndroidCat (229562) on Tuesday January 27, 2004 @10:08AM (#8099033) Homepage
    Don't forget about the proxy/backdoor that this installs:
    The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.
    Why would SCO include a backdoor? And why would the people attcking SCO include a backdoor? Worms like Gibe.x have used multi-loaders and have been connected with spammers, but this is better work than they've done so far. We don't know everything of what this worm does, it'll be much longer until we know why it does it, and even longer until we know who did it. The clues point in too many directions right now. Round up the usual suspects!
  • by nai (465491) on Tuesday January 27, 2004 @10:11AM (#8099057)
    Don't you find suspicious that virii always try to DDoS websites like sco.com, whitehouse.gov or microsoft.com ?
    If you want to write a virus that will survive, won't you target antivirus company, like symantec.com, mcafee.com or pandasoftware.com ?
  • by caino59 (313096) <jcaino@obsAAAcur ... et minus threevo> on Tuesday January 27, 2004 @10:12AM (#8099067) Homepage
    Great News!!

    I witnessed it on the first visit!

    Really though, I wanted to see if they might have added a news piece on their site regarding what was already known to be a pending attack.
    I mean..they had to know right? Surely someone warned them, or does really -no one- like them. I think that's pretty likely.
    And being that McBride is pushing on with the lawsuits, I would say it's safe to say that he doesn't bother reading the news...
  • Re:But, damn it! (Score:3, Interesting)

    by bhtooefr (649901) <bhtooefr.bhtooefr@org> on Tuesday January 27, 2004 @10:14AM (#8099084) Homepage Journal
    You mean we do support Linux and OSS, not we do not support Linux or OSS, right?

    It's at http://petitiononline.com/dontddos
  • well-deserved (Score:4, Interesting)

    by Tom (822) on Tuesday January 27, 2004 @10:19AM (#8099128) Homepage Journal
    Is this ethical? No.

    Do the deserve it? Yes.
    Have they been asking for it? Absolutely.

    SCO aren't only the bully, they are the bully who has the rules on his side. "The system" is pretty guilty of aiding and supporting their dirty tricks. So it was only a matter of time until someone stepped outside the rules to get even.

    Actually, I'm surprised it's just a small DDoS. I'd have more expected that their LAN gets wasted.

  • by holy_smoke (694875) on Tuesday January 27, 2004 @10:20AM (#8099137)
    "if you have to become evil to fight evil, why are you fighting it?"

    As much as I think that the SCO leeches are slimy forked tongue greedy selfish two-faced hypocrit lying b@stards, I have to say that those folks who are purposefully attacking them are only helping their cause and hurting the perception of the open source community.

    Let them kill themselves. The industry is aligned against them, and you can bet they will castrate them before its over.
  • Hey Bill (Score:4, Interesting)

    by Ashtead (654610) on Tuesday January 27, 2004 @10:26AM (#8099223) Journal
    So now we have some vast number of Windows machines of different vintages being hijacked and spreading this shite all over.

    Now, I recall, the other day Bill Gates wowed to kill spam and worms, and now this? Looks like he has his work cut out for him there....

    This has gotta be the Nth time I've seen reports that a worm has put an executable file into an area of the system that really should have been off-limits to anything not really needing to go there. So what does an E-mail program have to do of meaningful work in the OS code directories? Beats me...

    I can offer a hint to Mr. Gates: Rework Windows so that it not only does not require Administrator rights to operate normally, but actually disallows certain operations when being Administrator as well. Such as running browser or e-mail programs.

    Make sure no ordinary users can run processes that can write anything at all into the areas not set aside for that user, and the common temporary files area. I suspect there has to be some redesign, but I cannot see how this nonsense can be stopped otherwise.

  • by ChaoticCoyote (195677) on Tuesday January 27, 2004 @10:28AM (#8099236) Homepage

    Expect more associations between digital terrorism and Linux (as a catch-all media term for "free software"). The greatest threats to any revolution are:

    1. Zealots who feel obligated to use violence or destruction as an end to their means.
    2. Fools who fight the revolution because it is "fun", but who are not truly commited to the ideals.
    3. Government (and these days, corporate) infiltrators who play the two above roles in order to destroy the revolution.
    4. Power-hungry folk who bend the revolution to their own ends.

    I strongly suggest people become more familiar with how government and industry have undermined and perverted various revolutions. Start with COINTELPRO [icdc.com], an FBI campaign of the 1960s and 70s. And then read a bit of the history of the Homestead strike [pbs.org].

    From undermining the right to vote (via electronic "voting") to lying about WMDs in Iraq -- do you honestly think such people will ignore the threat posed by free software to the lucrative commercial software industry? SCO's assault on free software may only be the tip of an iceberg...

  • by Saven Marek (739395) on Tuesday January 27, 2004 @10:40AM (#8099354)
    They very easily could. The way I see it, and perhaps the way the virus writers see it, is that SCO WILL NOT STOP. They are running the company into the ground, they are losing genuine sales, they are in a public relations nightmare, staff of theirs that I know are feeling the PR pinch, and their leader is on a mission to do one thing: badmouth Linux until the day he is forced not to.

    Who else releases press releases deriding competitors or about lawsuits for a year straight, with NO press releases regarding actual real products?

    Their goal is spreading FUD, and while they are the SCO group and are allowed to do so, they will keep doing it. If this court case with IBM, and the one with Novell, go on for another 3 years, all through that SCO will release statement after statement to the press speaking rubbish about Linux and threatening normal users. They won't stop until they are made to.

    Since the law protects them and allows them to keep making these statements, the only thing that will stop them is something like a DDoS, and that's the situation we have.
  • by pjrc (134994) <paul@pjrc.com> on Tuesday January 27, 2004 @10:48AM (#8099443) Homepage Journal
    Since Mydoom has been identified as a variant of Mimail, which is largely believe to have been written on behalf of spammers and/or paypal scammers (apparantly in Russia), the most likely scenario is that the same group created Mydoom.

    The attack on SCO is most likely just a diversion. A simple distraction from the actual goal... to turn millions of machines into zombies which can be used to conduct illegal activities (phishing scams), or can turned into email/spam relays to be sold to spammers.

    It's already been established that Mydoom installs a backdoor and allows routing of tcp/ip connections to mask the identity of the originator. More or less exactly what scammers hoping to defraud ordinary people of banking details (phishing) need. Also the standard approach to turning machines into a valuable asset that can be sold to spammers in need of mail relays or "bulletproof hosting" for their websites that host the images all those spam messages reference.

    Attacking SCO is a smart diversion.... especially if SCO takes the bait and publishes a flamebait press release (seems almost certain), which will of course provoke a response from the free software / open source communities. Lots of free press to help divert the anger of millions of (clueless) victims towards the very visible open source and free software people, and SCO, and away from the real criminals.

    Judging from most of the comments here on Slashdot so far, it appears to be working perfectly.

  • by AKnightCowboy (608632) on Tuesday January 27, 2004 @10:54AM (#8099505)
    If you want to write a virus that will survive, won't you target antivirus company, like symantec.com, mcafee.com or pandasoftware.com ?

    Why would the virus writers DDoS their own web sites? No, I don't find it to be an amazing coincidence that the very people supposedly fighting viruses also employ the people most knowledgeable about creating them. It's their job to know everything about viruses and it's their company's business to sell antivirus software. I was less suspicious back when McAfee used to give out free shareware versions, but when everyone went to charging a subscription fee yearly for updates it kind of became obvious that antivirus companies are behind most, if not all viruses in existence today.

  • by mattdm (1931) on Tuesday January 27, 2004 @11:02AM (#8099581) Homepage
    I wish some sysadmins would get a clue and realize that with viruses spoofing the From: address, there is no fscking point in sending the "you sent me a virus" panic mail.

    I've been trying to complain to admins about this ever since Klez. You wouldn't believe the abuse I've gotten back -- and I've been very polite and nice. Generally, sites feel that it's adequate to add the newly found spoofing viruses to a don't-mail-notices blacklist after it's "realized" that yet another one can't be trusted. GET A CLUE, people -- you can't trust *viruses* at all.

    The *real* problem is the antivirus software -- notices should only be sent for "known honest" viruses -- if at all. There should be *no* option to send these notices by default. But the antivirus companies *love* this -- they get to send out *millions* of advertisements for the effectiveness of their product, and no one is allowed to call it spam -- even though it *is*.
  • Build a Better DDOS (Score:3, Interesting)

    by GangstaLean (102189) <[gro.hsubehtnidrib] [ta] [naelatsgnag]> on Tuesday January 27, 2004 @11:34AM (#8099941) Homepage
    A better DDOS would be a smtp based attack. If you flooded your enemy's MXers it would hurt them more than taking out their web site.
  • Perfect... (Score:5, Interesting)

    by Fr33z0r (621949) on Tuesday January 27, 2004 @11:44AM (#8100055)
    I got a copy of this virus before I left for work this morning, saw the mail and thought "ok, I don't know them and it's got an attachment, it's a virus", opened up the zip for a look though and saw the payload.

    "Fair enough, a new virus, I gotta go to work."

    Flash forward 7 hours to now and I can't *believe* what a great opportunity this virus has afforded me and no doubt countless others reading.

    The mailbox it was delivered to was a spamtrap, chances are spamtraps all over the world are being sent the real, legitimate IP addresses of spammers dumb enough to click malicious attachments.

    Viruses are bad, DoSing SCO is bad, but god damn, all this time we've been bitching and moaning about viruses when we could have been using them on spamtrap addresses to track down spammers to their *own* internet connection.
  • Honestly children... (Score:3, Interesting)

    by raytracer (51035) on Tuesday January 27, 2004 @11:59AM (#8100234)

    Get over it. Yes, SCO is a company that appears to be litigating themselves into profitability, at least until they can manage a stock dump. Yes, they are lobbying Congress with lies about the GPL and the open source movement.

    But this doesn't justify a lynch mob. What you are doing is illegal.

    If that doesn't convince you, think of the millions of people whose days are inconvenienceda and/or wrecked. Don't you think that their misery far exceeds any temporary hurt you could deal to SCO? It's not like they need to have a whole lot of internet connectivity to litigate their cases. If anything, being DOS'ed helps them make their point.

    Think of the big picture. Act responsibly.

  • Apache on Linux? (Score:3, Interesting)

    by scoove (71173) on Tuesday January 27, 2004 @01:15PM (#8101231)
    Anyone notice the bottom of the Netcraft report (under OS, Web Server and Hosting History for www.sco.com)?

    unknown Apache 27-Jan-2004 216.250.128.12 NFT

    Linux Apache 12-Dec-2003 216.250.128.12 NFT

    Now we know why they were too busy to respond to the judge's discovery order - they were getting their website converted over to another OS (or hiding that the OS was Linux).

    Curiously, the netcraft site [netcraft.com] shows they tried this for a day earlier in December and presumably had problems with the cutover. The full Netcraft report shows an interesting evolution in webservers:

    unknown Apache 27-Jan-2004 216.250.128.12 NFT
    Linux Apache 12-Dec-2003 216.250.128.12 NFT
    unknown Apache 11-Dec-2003 216.250.128.12 NFT
    Linux Apache 3-Sep-2003 216.250.128.12 NFT
    Linux Apache 21-Aug-2003 216.250.140.112 NFT
    Linux Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.3.2-RC 17-Jun-2003 216.250.140.112 NFT
    Linux Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.0.3pl1 20-Nov-2002 216.250.140.112 NFT
    Linux Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.0.3pl1 14-Aug-2002 216.250.140.125 NFT
    SCO UNIX Netscape-FastTrack/2.01 13-Aug-2002 132.147.210.109 Caldera, Inc.
    SCO UNIX Netscape-FastTrack/2.01 12-Aug-2002 132.147.210.109 Caldera, Inc.

    From SCO to Linux? Linux running as recently as December 2003? Of course, since they own Linux, I guess this is ok...

  • by DavidTC (10147) <slas45dxsvadiv.v ... m ['x.c' in gap]> on Tuesday January 27, 2004 @02:04PM (#8101850) Homepage
    Actually, the point is that no one knows what happens to the Neanderthals. Either Cro-mags killed them all, or they interbreed with us, or quite possibly a combination. (Kill the dominate men, rape the women, lord over the less men for a few generations until there's no 'us' and 'them', just 'us'.)

    I suspect it's the last one, unless it turns out that they couldn't interbreed. In which case we rather obviously wiped them out.

You are an insult to my intelligence! I demand that you log off immediately.

Working...