Yesterday, Microsoft and SCO Group had two things in common – each was under threat from the Mydoom virus which had threatened to knock both their sites down on Super Bowl Sunday – February 1. And each carried a identical pictorial warning on their main web pages.

At around 9:00 am Pacific on February 1, when you tried to reach www.sco.com, all you got was Could not connect to remote server. Microsoft’s site was, however, still standing and still carrying What you should know … warnings.

Confirming that SCO’s web page was indeed offline, “While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning,” SCO Group spokesman Jeff Carlon was quoted as saying in Reuters here.

Finland’s F-Secure was the first company to report “a world-wide denial-of-service attack from every infected computer against the website of SCO, one of the largest Unix vendors in the world” on January 26 when it issued its Radar Level 2 Alert, raising it to Radar 1, its highest level, only 110 minutes after the first Mydoom sample was received.

Mydoom, or Novarg, was spreading through email attachments and Kazaa p2p file sharing networks and, “There are a lot of kids out there who feel like SCO’s attacking them, said F-Secure’s Mikko Hypponen, director of anti-virus research. “Apparently someone of them decided that it’s ok attack back.”

This was in reference to SCO’s claim, “that the Linux operating system was violating SCO’s intellectual property rights in UNIX technology,” said F-Secure.

Then came Mydoom.B which, although it wasn’t spreading as quickly as Mydoom.A, was also programmed to strike www.microsoft.com.

It didn’t spread as quickly as the first worm but ominously, “It’s quite likely that we will have a new version soon, there is nothing holding the creator back, especially since the B version did not turn out to be that successful,” said Hyppoenen.

And there was another fear – that the attacks were smoke-screens to take attention away from the fact that the bugs open backdoors in infected computers so Mydoom’s authors and/or associates can later remotely enter the machines at will.

F-Secure has also released a free tool which will remove Mydoom from infected systems. It can be downloaded here.

In the meanwhile, a posting from mph on Netcraft here reads >>>>>>>>>>>>>>>>>>>>>>>>>>

Much of the commentary on the SCO distributed denial of service scenario, including our own, has been based on the premise that SCO badly wants to keep their web site running. This may not be the case: unlike Microsoft, which has a real business to run and a real need to keep its web site operational, SCO Executives may not strongly care about the availability of www.sco.com. After all, Michael Doyle’s half a billion dollar patent win against Microsoft scarcely hinged on the response times of the Eolas web site.

In fact, the author of the MyDoom virus has delegated control of directing the most enormous volume of http traffic that the Internet has yet seen to hostmaster@sco.com. On a whim, SCO can direct that Tsunami at an object of their choosing, simply by changing an A record in named.conf in time for the change to propagate by Sunday.

In this context, SCO Executives may have latitude to consider alternative defenses which do not involve having to parlay with low-down-no-good-Linux-loving-CDN-providers.

Solution 1: Move the SCO site to somewhere that has the clue and the clout to cope.
Consequences: SCO Executives buy a small business shared hosting account at Yahoo, noting that it runs on FreeBSD, not Linux, and point www.sco.com at the new account.

webhosting.yahoo.com stays up, and serves all the http requests from the infected machines at the same speed that the www.yahoo.com front page normally loads. Virus author kicks the cat in frustration. SCO’s entire corporate cash resources exhausted by Yahoo’s bandwidth surcharges in the first eight minutes. Yahoo pre-announces record quarter for hosting division.

Solution 2: Take www.sco.com out of the DNS.
Consequences: Everyone has a quiet weekend. SCO Execs drink Budweiser and watch the Superbowl. Global media considers that the virus author ‘has won’. Anti-virus company Execs do not return journalists’ calls on ‘What was all that fuss?’

Solution 3: Point www.sco.com at someone you don?t like.
Consequences: SCO Executives take a poll on which web site annoys them the most. Slashdot wins. hostmaster@sco.com CNames www.sco.com to slashdot.org. SCO Execs cackle demonically at the prospect of slashdotting Slashdot.

Linux community notices DNS change propagating within five minutes. Eric Raymond calls for ‘restraint in the face of SCO’s continual provocation’. Undeterred, Linux community launches internet-wide round the clock hackathon, and finds six ‘trivially insecure’ US military installations shortly after the US military go home on Friday afternoon. Spend Saturday soaking up the totally awesome graphics on the Stealth bomber flight simulators, and then obliterate most of Utah, sco.com name servers and all, on Sunday morning hours before the DDoS is due to hit Slashdot. SCO Execs still laughing themselves helpless about the /. Effect when the bomb hits.

New, previously unknown Linux Thought Leader declares that ‘we have met the enemy, and they are gone’. Traffic to Slashdot triples, Hemos weeps about the size of OSDN’s unsold banner inventory. Follow up posts enthuse about the quality of the stealth bomber user interface, then propose that they should sort out ‘the problem in Redmond’ before they give the US Military their network back in time for Monday morning. New Linux Thought Leader concurs, adding that there’s a carding site in Moscow that really ticks him off, too. Armageddon.

Solution 4: Get to the Windows machines before they go off.
Consequences: SCO executives persuade Slashdot readers that Windows machines are their common enemy and that the enemy of my enemy is my friend. Someone in the Linux community notices Colin Percival?s Depenguinator program, and considers that with some minor modifications, it can be distributed by the MyDoom virus, and as its payload, download and install Debian 3.0r2, KDE, Open Office and Evolution. Changes name of program to ‘De Penguinator’.

Entire set of infected Windows machines is reached and either comes up running Debian or crashes stone dead trying. No denial of service attack occurs. SCO sends licence fee demands to owners of all the previously infected windows machines. They happily pay up and SCO splits the proceeds with Slashdot readers.

Solution 5: SCO Execs point www.sco.com at the loopback address 127.0.0.1, end lawsuits, dismiss lawyers, and invest remaining corporate cash reserves in call options in Dell & Microsoft stock.
Consequences: No denial of service traffic whatsoever seen on the Internet. Millions of Windows users notice that their computer is running extremely slowly. Many buy new machines, which fixes the problem. Dell & Microsoft stock rises. Everyone lives happily ever after.

This entry was posted on Sunday, February 1st, 2004 at 4:57 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2137 times