Living up to its namesake, the Mydoom mass-mailing worm succeeded in bringing sco.com to a grinding halt on Sunday as thousands of infected computers launched a distributed denial of service (DDoS) attack on Lindon Utah-based The SCO Group Inc.’s primary Web site.
The DDoS attack began early Sunday as Mydoom-infected computers worldwide followed instructions to send messages to www.sco.com, overloading the company’s Web servers. It is one of the largest DDoS attacks on record, antivirus experts said.
In a statement, SCO confirmed the attack, saying that requests sent to www.sco.com from Mydoom-infected computers were responsible for making its Web site “completely unavailable” Sunday. The company’s reaction was to take sco.com offline and replace it with thescogroup.com, SCO spokesperson Blake Stowell said. For the next 10 days the company will periodically bring sco.com online to see if the attack has diminished, Stowell said, but it is unlikely sco.com will be up and running before Feb. 13, the date Mydoom infected machines stop attacking sco.com.
SCO’s Web site was already slowed last week by traffic from Mydoom machines with incorrect clocks. However, the site became totally unreachable shortly after 5:00 PM Pacific Time Saturday, when infected machines in Asia began registering the new day, said Craig Schmugar, antivirus researcher at Network Associates Inc.’s (NAI) McAfee antivirus division.
The level of attack’s success did not surprise D K Matai, the London-based executive chairman of m12g Ltd. “SCO does not have the type of telecommunications bandwidth” necessary to defend against such a large number of infected machines — NAI estimates that between 25,000 and 50,000 machines were involved in the attack on www.sco.com — trying to access its site simultaneously, he said.
The b variant of the worm, designed to launch a DDoS against Microsoft Tuesday, will be less successful, Matai predicted. “It is easier to knock out a smaller company like SCO…(additionally) we suspect Microsoft has purchased extra clusters of bandwidth just in case.” But he said mi2g Web monitoring has already seen an increase in times required to download from Microsoft’s site, an indication an attack has already started from those machines in Asia where it is already Feb. 3, the launch date for b variant of the worm targeting Microsoft.com.
Sam Curry, a vice-president with Computer Associates International Inc. in New York, agreed that Microsoft is better positioned to weather the storm of a Mydoom DDoS. Microsoft has had more of a warning, has more resources to deal with an attack and is fortunate that the b variant of the worm (designed to attack it and SCO) constitutes less than 10 per cent of the infected machines, he said. Regardless, “it is not going to be a fun experience.”
Curry did add a caveat. The success of Mydoom’s attack on Microsoft will, to some extent hinge on the number of b variant infected machines that can successfully take over control of those machines infected with Mydoom a, and use them as additional zombies to attack Microsoft. “I am concerned it could get a whole lot worse,” he said.
Michael Murphy, Canadian general manager for Symantec Corp. in Toronto, said though Microsoft is unlikely to be brought down by Mydoom, overall the “Internet will feel some pain” from the increase in traffic from repeated requests to microsoft.com. Microsoft Corp. was unavailable to comment by deadline.
Murphy, Curry and Matai all agreed that Mydoom is a very sophisticated piece of malware but that there is nothing intrinsically new in the code, rather a crafty rework of known techniques. “It is perhaps a more tuned version of techniques that have been known for some time,” Curry said. The social engineering is “the most intelligent part” of the worm, Curry said, since it plays on user’s technical ignorance. Both experts said this is one of the reasons Mydoom was more successful gaining a foothold in the consumer market than the corporate world, where e-mail attachments are often automatically quarantined.
The writer or writers of Mydoom had a “familiarity with software techniques,” Curry said. “This wasn’t done with an automated tool…this wasn’t done with a build your own,” he said.
Machines that have been turned off for the weekend cannot attack. And, due to a coding error in the virus, only around one in four machines that are running and infected will launch an attack, Schmugar said.
Estimates of the number of machines infected by Mydoom vary widely. F-Secure Corp. of Helsinki and mi2g said that as many as one million machines may have the virus. NAI puts the number at around 500,000 systems.