MyDoom Windows Worm DDoSing SCO

We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.

According to Symantec...

[no_nicks_available]

the DOS isn't supposed to start until Feb 1. Maybe this is related to some sort of network "hardening" in preparation. More info [symantec.com]

Re:Something Doesn't Add Up

[GrenDel Fuego]

SCO has been under repeated DDOS attacks for months now. Netcraft is most likely showing details on those ones.

dupe

[CGP314]

Here is the origional story on slashdot:

There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

So tell me again, what new information did we learn between now and then. Looks like slashdot just loves SCO stories to me, even if they are repeats.

--
In London? Need a Physics Tutor? [colingregorypalmer.net]

American Weblog in London [colingregorypalmer.net]

Funny, I think:

[cockroach2]

On the bottom of the netcraft report you can see an OS history of www.sco.com - apparently they switched from SCO UNIX to Linux in August 2002...

Re: Understand though...

[Quantum-Sci]

The hammering of SCO doesn't start until Feb 1 though. Supposed to be Feb 1-12.

I received three of these yesterday, and it's been ages since I received anything with a virus. Must be massive.

DDoS

[savagedome]

Note that the DDoS attack is timed to be performed between 1st and 12th Feb, 2004 [ca.com].

Re:Transmission require OE?

[codepunk]

Yes it does use outlook (the typhoid mary of the internet) to spread itself. I suggest you stick with windows as being a Linux administrator is a very lonely job. It is very much like being a Maytag repairman, nobody ever calls.

It has a hidden payload, you FOOLS

[Anonymous Coward]

ripped straight from www.sophos.com:

W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

Re:I don't get the joke...

[Kredal]

the s/foo/bar command will replace all instances of "foo" with "bar". In this example, it changes "this" to "their".

Here is my attempt to render an explanation...

[Scoria]

s/is/eir

It is a regex [regular-expressions.info] statement. Essentially, the string typically instructs a language interpreter (PERL, for instance) to search for a pattern and subsequently replace it.

In this case, it is replacing any instances of "is" with "eir"; thus, the following alteration is committed:

Before: but it's always sad to watch someone stoop to this level
After: but it's always sad to watch someone stoop to their level

Get your facts straight...

[JRHelgeson]

The DDoS against SCO.com doesn't start until the infected machine is rebooted any time after February 1, 2004 at 00:00:01 and will continue until the machine is rebooted after February 12, 2004. At that point in time, the DDoS will stop and the infected host will keep its back door open - listening on ports 3127 to 3198 TCP (It only listens on one port, but if 3127 isn't available it'll listen on the next port on up the chain). Presumably, after 12 Feb, the infected machine will be used as a spam relay as the virus obviously has Message Transfer capabilities encoded within it.

The graphs that are linked to in the /. story simply illustrate that SCO's shxt keeps on crashing - which is not really suprising after Darl had to fire the network admin to feed his Lawyer habit.

Re:Something Doesn't Add Up

[fishbert42]

... there is no fscking point in sending the "you sent me a virus" panic mail.

Actually, there is... but in sending an email to others who know your email address. For example, I got 3 messages yesterday which contained this virus. Now, from what I understand, this worm pulls email addresses from one's computer, and sticks those addresses in the 'from' field. One of those emails I received was "from" the United States Air Force Band's Singing Sergeants Yahoo Group. That's pretty specific, so I sent everyone I know (who runs windows) a message saying, basically, that if you know of the Singing Sergeants, or these few other email addresses, then it's likely you have this worm.

Sending a "you gave me a virus" email to whomever is in the 'from' field is pretty useless, but the above tactic may prove helpful for this particular worm. At the very least, it lets other (possibly less-informed) folks know there's a worm about, and reminds them to practice good email usage (not opening unexpected attachments, etc.) and to update their anti-virus software.

Re:Change domain

[BenBenBen]

Maybe theyll change their domain name like M$ did to bastards.sco.com instead of sco.com/bastards

Windows Update exists at windowsupdate.com and v4.update.microsoft.com or similar.

The dDOS was just aimed at the first one, whilst all links (web and local) to Windows Update point at the other one. The attack was therefore not hugely disruptive, especially once a nice layer of properly hardened computers [openbsd.org] was in the way.

According to NetCraft, SCO is currently pinging at about the 16 second mark - are there really that many computers with fast clocks, or is it bad coding, or is something else happening here? Feb 1st is supposed to mark the start of the GET storm.

Meanwhile, for Postfix admins...

[sunset]

I just created and installed a Postfix remedy for this recent deluge, and thought I'd pass it on.

In main.cf, insert this:

body_checks=pcre:/etc/postfix/virus_body_checks

Create a file virus_body_checks containing this:

/^TVqQAAMAAAAEAAAA\/\/8AALg/ REJECT Microsoft executable attachments are not allowed here.
/^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.

If anyone has an improved solution, let me know, but this seems to work.

On the contrary....

[Elusive_Cure]

Quoting from parent : "all this time we've been bitching and moaning about viruses when we could have been using them on spamtrap addresses to track down spammers to their *own* internet connection."

1. 
   
   ... On the contrary, that's what honeypots all over the web do, it's a fairly effective way to back-trace spam...

Re:Meanwhile, for Postfix admins...

[TwinkieStix]

I would have moderated this as informative, but I'm going to reply instead. We're going to take your idea and change it in two ways. First, it appears that the virus is forging the senders address, so we shouldn't reply to the message because it causes undue hysteria. Instead, we're going to simply send the virus to /dev/null with a procmail script after postfix gets the message:

:0 B
* ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
/dev/null

Does this work for everybody? We haven't gotten another e-mail since implimenting it.