Slashdot Mirror

← Back to Stories (view on slashdot.org)

MyDoom Windows Worm DDoSing SCO

Posted by ryuzaki0 on from the now-thats-just-not-cool dept.

We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.

16 of 694 comments (clear)

  1. According to Symantec... by no_nicks_available · · Score: 3, Informative

    the DOS isn't supposed to start until Feb 1. Maybe this is related to some sort of network "hardening" in preparation. More info

  2. Re:Something Doesn't Add Up by GrenDel+Fuego · · Score: 1, Informative

    SCO has been under repeated DDOS attacks for months now. Netcraft is most likely showing details on those ones.

  3. dupe by CGP314 · · Score: 1, Informative

    Here is the origional story on slashdot:

    There is a new virus out by the name of Novarg which can infect all Windows versions from 95 to XP. It has two interesting features - first, in addition to mass mailing, it also distributes itself via the P2P network Kazaa. Second, it can perform a denial-of-service against www.sco.com. Details at Symantec and F-Secure, although neither seems to have finished their analysis." Other readers have sent in links to coverage at CNET and Security Response, and Russ Nelson provides a sample message.

    So tell me again, what new information did we learn between now and then. Looks like slashdot just loves SCO stories to me, even if they are repeats.

    --
    In London? Need a Physics Tutor?

    American Weblog in London

  4. Funny, I think: by cockroach2 · · Score: 5, Informative

    On the bottom of the netcraft report you can see an OS history of www.sco.com - apparently they switched from SCO UNIX to Linux in August 2002...

  5. Re: Understand though... by Quantum-Sci · · Score: 2, Informative

    The hammering of SCO doesn't start until Feb 1 though. Supposed to be Feb 1-12.

    I received three of these yesterday, and it's been ages since I received anything with a virus. Must be massive.

    --
    Campaign finance reform is national security.
  6. DDoS by savagedome · · Score: 4, Informative

    Note that the DDoS attack is timed to be performed between 1st and 12th Feb, 2004.

    --


    Free XBox, PS2
  7. Re:Transmission require OE? by codepunk · · Score: 4, Informative

    Yes it does use outlook (the typhoid mary of the internet) to spread itself. I suggest you stick with windows as being a Linux administrator is a very lonely job. It is very much like being a Maytag repairman, nobody ever calls.

    --


    Got Code?
  8. It has a hidden payload, you FOOLS by Anonymous Coward · · Score: 3, Informative

    ripped straight from www.sophos.com:

    W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

  9. Re:I don't get the joke... by Kredal · · Score: 3, Informative

    the s/foo/bar command will replace all instances of "foo" with "bar". In this example, it changes "this" to "their".

    --
    Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
  10. Here is my attempt to render an explanation... by Scoria · · Score: 2, Informative

    s/is/eir

    It is a regex statement. Essentially, the string typically instructs a language interpreter (PERL, for instance) to search for a pattern and subsequently replace it.

    In this case, it is replacing any instances of "is" with "eir"; thus, the following alteration is committed:

    Before: but it's always sad to watch someone stoop to this level
    After: but it's always sad to watch someone stoop to their level

    --
    Do you like German cars?
  11. Get your facts straight... by JRHelgeson · · Score: 4, Informative
    The DDoS against SCO.com doesn't start until the infected machine is rebooted any time after February 1, 2004 at 00:00:01 and will continue until the machine is rebooted after February 12, 2004. At that point in time, the DDoS will stop and the infected host will keep its back door open - listening on ports 3127 to 3198 TCP (It only listens on one port, but if 3127 isn't available it'll listen on the next port on up the chain). Presumably, after 12 Feb, the infected machine will be used as a spam relay as the virus obviously has Message Transfer capabilities encoded within it.

    The graphs that are linked to in the /. story simply illustrate that SCO's shxt keeps on crashing - which is not really suprising after Darl had to fire the network admin to feed his Lawyer habit.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  12. Re:Something Doesn't Add Up by fishbert42 · · Score: 3, Informative

    ... there is no fscking point in sending the "you sent me a virus" panic mail.

    Actually, there is... but in sending an email to others who know your email address. For example, I got 3 messages yesterday which contained this virus. Now, from what I understand, this worm pulls email addresses from one's computer, and sticks those addresses in the 'from' field. One of those emails I received was "from" the United States Air Force Band's Singing Sergeants Yahoo Group. That's pretty specific, so I sent everyone I know (who runs windows) a message saying, basically, that if you know of the Singing Sergeants, or these few other email addresses, then it's likely you have this worm.

    Sending a "you gave me a virus" email to whomever is in the 'from' field is pretty useless, but the above tactic may prove helpful for this particular worm. At the very least, it lets other (possibly less-informed) folks know there's a worm about, and reminds them to practice good email usage (not opening unexpected attachments, etc.) and to update their anti-virus software.

  13. Re:Change domain by BenBenBen · · Score: 2, Informative
    Maybe theyll change their domain name like M$ did to bastards.sco.com instead of sco.com/bastards
    Windows Update exists at windowsupdate.com and v4.update.microsoft.com or similar.

    The dDOS was just aimed at the first one, whilst all links (web and local) to Windows Update point at the other one. The attack was therefore not hugely disruptive, especially once a nice layer of properly hardened computers was in the way.

    According to NetCraft, SCO is currently pinging at about the 16 second mark - are there really that many computers with fast clocks, or is it bad coding, or is something else happening here? Feb 1st is supposed to mark the start of the GET storm.

    --
    The Slashdot Paradox: "100% Overrated"
  14. Meanwhile, for Postfix admins... by sunset · · Score: 4, Informative

    I just created and installed a Postfix remedy for this recent deluge, and thought I'd pass it on.

    In main.cf, insert this:

    body_checks=pcre:/etc/postfix/virus_body_checks

    Create a file virus_body_checks containing this:

    /^TVqQAAMAAAAEAAAA\/\/8AALg/ REJECT Microsoft executable attachments are not allowed here.
    /^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.

    If anyone has an improved solution, let me know, but this seems to work.

    1. Re:Meanwhile, for Postfix admins... by TwinkieStix · · Score: 3, Informative

      I would have moderated this as informative, but I'm going to reply instead. We're going to take your idea and change it in two ways. First, it appears that the virus is forging the senders address, so we shouldn't reply to the message because it causes undue hysteria. Instead, we're going to simply send the virus to /dev/null with a procmail script after postfix gets the message:

      :0 B
      * ^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA
      /dev/null

      Does this work for everybody? We haven't gotten another e-mail since implimenting it.

  15. On the contrary.... by Elusive_Cure · · Score: 2, Informative
    Quoting from parent : "all this time we've been bitching and moaning about viruses when we could have been using them on spamtrap addresses to track down spammers to their *own* internet connection."


    1. ... On the contrary, that's what honeypots all over the web do, it's a fairly effective way to back-trace spam...
    --
    Roses are red, violets are blue, most poems rhyme, but this one doesn't... ;^)