Slashdot Mirror
MyDoom Windows Worm DDoSing SCO
We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.
SCO ought to start getting hit hard today as office workers and the like start checking their email today starting around 9 Eastern, and running the virus. It'll be interesting to see what SCO's reaction will be. Almost like the calm before the storm ;-)
I thought the worm was set to start the DDOS on February 1. So why is SCO showing a DDOS right now?
Was the February 1 thing made up? I've not yet received the virus in my email so I can't check the code for myself.
Or (I consider this more plausible) has SCO taken their own site down with the intention of blaming the "Linux terrorists", but they stupidly took it down 3 days too early.
It's too early to call this one. Relax and pass the popcorn.
One line blog. I hear that they're called Twitters now.
is actually, nice to have SCO.com messsed around. just because they will be forced to use LINUX/APACHE to survive the attack... i guess SCO stock will fall, again just because will be needing to hire akamai server just like microsoft did. linux to save their enemies. ironic
Putting a windows cd backwards, plays evil messages, but it gets worse, putting it right, installs windows.
...millions of people checking sco.com to see if it's still up? or...
...computers with clocks that aren't set correctly? or...
...the virus analysts misinterpreting the taskmon.exe when they decompiled it?
Maybe this is all just a big conspiricy by SCO to make the open-source community seem like a bunch of immature wotsits? I mean, think of all the positive sco publicity they could milk out of this, not to mention maybe using it in the courts? Trying to associate the open-source community with the scum that writes virus' and worms etc.
.
I'll put my tin-foil hat on now I think.
Chris
This is going to be a serious blow to the moral credibility of the OSS community, not just Linux users.
We seriously need some sort of petition stating we do not support Linux or OSS, but not underhanded tactes like DDOSing and viruses.
tasks(723) drafts(105) languages(484) examples(29106)
I'd like to know how worried I should be about Windows machines with Thunderbird installed.
This may be the last straw. I've been thinking about moving all 3-4 of my work machines (p200) to Beos with Fire/Thunderbird and Gobe Productive - I'm tired of the viruses, and I'm tired of maintaining Windows.
This virus was probably written by some dingbat who KNOWS what kind of harm it will cause to the Free Software community.
:)
Yeah, I know it's far fetched, and probably untrue, but some people need to grow up and realize that the only useful weapons against SCO are FACTS.
Either that or a big budget with which to purchase them... but their IP is so worthless, who would buy them?
That's pretty funny: If SCO claims this virus contain portions of their code -- they could sue the pants off everyone who has the virus on their machines. Imagine milions and millions of people who have illegally obtained their property on to their machines... They could make riches off of this!
What's so bad about being lazy? What if there was a war and nobody showed up?
I think the real purpose of this worm is to enable spammers to work more comfortably and safely. The attack at SCO conveniently distracts attention from this, and on to the spam-hating linux community.
xkcd is not in the sudoers file. This incident will be reported.
The people who read these AV stories do not represent the "average" user who is more inclined to fall for the worm's social engineering. Nor would they be opening the "63 connections per second" to sco.com being touted by the AV vendors for that matter. I suspect that blip is going to pale into insignificance compared to the amount of traffic they are going to get come February. It's a fair bet that SCO will be denouncing the "Linux hackers" as being the culprits in numerous press releases as well, they may be right on that, they may not, but it's sure as hell going to get them a lot of sympathy.
This isn't going to help OSS's case at all, and the only saving grace is the February 12th cut off. Then again, I've yet to see anything about what happens to the port the worm listens on come the deactivation date, or what instructions that port might accept.
UNIX? They're not even circumcised! Savages!
Or (I consider this more plausible) has SCO taken their own site down with the intention of blaming the "Linux terrorists", but they stupidly took it down 3 days too early.
Not that I don't think your idea is a serious possibility, but SCO is probably being slashdotted by all the people who want to see if it is down.
Tinfoil Hat idea #3: Since this is being spread by Kazaa, perhaps the RIAA is trying to scare file traders off of the Kazaa networks but ensure the virus is blamed on someone else. SCO haters are a dime a dozen.
Enough for now, I've got to finished rereading Catcher in the Rye.
Please tell me I'm missing a whole load; most of the strings found in the binary are readable after de-UPX-ing, then ROT13ing. About half are ROT13d, half aren't.
Ah well, I'm probably totally wrong, but it just sounds odd.
So their hipocracy has repeatedly been pointed out in their claims of the GPL being an illegal economy killer while they use Samba3. But I'd never noticed it being pointed out that they're using Apache (not GPL, granted, but still an open source license nonetheless) for their web server, and as recently as December 12 (according to the Netcraft link in the story) have been running it on Linux. I know I shouldn't be surprised, but c'mon ...
Anyone antisocial and misdirected enough to spend effort writing software that does damage cannot have enough of a sense of wrong and right to give a damn about the SCO case.
This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero.
Well, you stupid ignorant bastard, if you're reading this, and you probably are since you expect that the Slashdot hordes will applaud your bravery in damaging thousands of people's computers, NO ONE ADMIRES YOU. We spit on you, you're the bastard offspring of a lemming and a hamster and your mother had a beard!
With enemies like this SCO hardly needs friends. Anyone who wants to see SCO suffer for the wrongs they have done should unequivocally condemn such acts of terrorism. SCO will be broken by the weight of justice and right, not by mindless thugware.
Ceci n'est pas une signature
How sweet would it be to *prove* SCO is behind this.
One line blog. I hear that they're called Twitters now.
Don't you find suspicious that virii always try to DDoS websites like sco.com, whitehouse.gov or microsoft.com ?
If you want to write a virus that will survive, won't you target antivirus company, like symantec.com, mcafee.com or pandasoftware.com ?
Great News!!
I witnessed it on the first visit!
Really though, I wanted to see if they might have added a news piece on their site regarding what was already known to be a pending attack.
I mean..they had to know right? Surely someone warned them, or does really -no one- like them. I think that's pretty likely.
And being that McBride is pushing on with the lawsuits, I would say it's safe to say that he doesn't bother reading the news...
Is this ethical? No.
Do the deserve it? Yes.
Have they been asking for it? Absolutely.
SCO aren't only the bully, they are the bully who has the rules on his side. "The system" is pretty guilty of aiding and supporting their dirty tricks. So it was only a matter of time until someone stepped outside the rules to get even.
Actually, I'm surprised it's just a small DDoS. I'd have more expected that their LAN gets wasted.
Assorted stuff I do sometimes: Lemuria.org
"if you have to become evil to fight evil, why are you fighting it?"
As much as I think that the SCO leeches are slimy forked tongue greedy selfish two-faced hypocrit lying b@stards, I have to say that those folks who are purposefully attacking them are only helping their cause and hurting the perception of the open source community.
Let them kill themselves. The industry is aligned against them, and you can bet they will castrate them before its over.
Is the juice worth the sqeeze?
Now, I recall, the other day Bill Gates wowed to kill spam and worms, and now this? Looks like he has his work cut out for him there....
This has gotta be the Nth time I've seen reports that a worm has put an executable file into an area of the system that really should have been off-limits to anything not really needing to go there. So what does an E-mail program have to do of meaningful work in the OS code directories? Beats me...
I can offer a hint to Mr. Gates: Rework Windows so that it not only does not require Administrator rights to operate normally, but actually disallows certain operations when being Administrator as well. Such as running browser or e-mail programs.
Make sure no ordinary users can run processes that can write anything at all into the areas not set aside for that user, and the common temporary files area. I suspect there has to be some redesign, but I cannot see how this nonsense can be stopped otherwise.
SIGBUS @ NO-07.308
Expect more associations between digital terrorism and Linux (as a catch-all media term for "free software"). The greatest threats to any revolution are:
I strongly suggest people become more familiar with how government and industry have undermined and perverted various revolutions. Start with COINTELPRO, an FBI campaign of the 1960s and 70s. And then read a bit of the history of the Homestead strike.
From undermining the right to vote (via electronic "voting") to lying about WMDs in Iraq -- do you honestly think such people will ignore the threat posed by free software to the lucrative commercial software industry? SCO's assault on free software may only be the tip of an iceberg...
All about me
They very easily could. The way I see it, and perhaps the way the virus writers see it, is that SCO WILL NOT STOP. They are running the company into the ground, they are losing genuine sales, they are in a public relations nightmare, staff of theirs that I know are feeling the PR pinch, and their leader is on a mission to do one thing: badmouth Linux until the day he is forced not to.
Who else releases press releases deriding competitors or about lawsuits for a year straight, with NO press releases regarding actual real products?
Their goal is spreading FUD, and while they are the SCO group and are allowed to do so, they will keep doing it. If this court case with IBM, and the one with Novell, go on for another 3 years, all through that SCO will release statement after statement to the press speaking rubbish about Linux and threatening normal users. They won't stop until they are made to.
Since the law protects them and allows them to keep making these statements, the only thing that will stop them is something like a DDoS, and that's the situation we have.
The attack on SCO is most likely just a diversion. A simple distraction from the actual goal... to turn millions of machines into zombies which can be used to conduct illegal activities (phishing scams), or can turned into email/spam relays to be sold to spammers.
It's already been established that Mydoom installs a backdoor and allows routing of tcp/ip connections to mask the identity of the originator. More or less exactly what scammers hoping to defraud ordinary people of banking details (phishing) need. Also the standard approach to turning machines into a valuable asset that can be sold to spammers in need of mail relays or "bulletproof hosting" for their websites that host the images all those spam messages reference.
Attacking SCO is a smart diversion.... especially if SCO takes the bait and publishes a flamebait press release (seems almost certain), which will of course provoke a response from the free software / open source communities. Lots of free press to help divert the anger of millions of (clueless) victims towards the very visible open source and free software people, and SCO, and away from the real criminals.
Judging from most of the comments here on Slashdot so far, it appears to be working perfectly.
PJRC: Electronic Projects, 8051 Microcontroller Tools
A better DDOS would be a smtp based attack. If you flooded your enemy's MXers it would hurt them more than taking out their web site.
-- Bird in the Bush: The Renewable Energy Blog http://www.birdinthebush.org
I got a copy of this virus before I left for work this morning, saw the mail and thought "ok, I don't know them and it's got an attachment, it's a virus", opened up the zip for a look though and saw the payload.
"Fair enough, a new virus, I gotta go to work."
Flash forward 7 hours to now and I can't *believe* what a great opportunity this virus has afforded me and no doubt countless others reading.
The mailbox it was delivered to was a spamtrap, chances are spamtraps all over the world are being sent the real, legitimate IP addresses of spammers dumb enough to click malicious attachments.
Viruses are bad, DoSing SCO is bad, but god damn, all this time we've been bitching and moaning about viruses when we could have been using them on spamtrap addresses to track down spammers to their *own* internet connection.
Get over it. Yes, SCO is a company that appears to be litigating themselves into profitability, at least until they can manage a stock dump. Yes, they are lobbying Congress with lies about the GPL and the open source movement.
But this doesn't justify a lynch mob. What you are doing is illegal.
If that doesn't convince you, think of the millions of people whose days are inconvenienceda and/or wrecked. Don't you think that their misery far exceeds any temporary hurt you could deal to SCO? It's not like they need to have a whole lot of internet connectivity to litigate their cases. If anything, being DOS'ed helps them make their point.
Think of the big picture. Act responsibly.
There is much pleasure to be gained in useless knowledge.
Anyone notice the bottom of the Netcraft report (under OS, Web Server and Hosting History for www.sco.com)?
unknown Apache 27-Jan-2004 216.250.128.12 NFT
Linux Apache 12-Dec-2003 216.250.128.12 NFT
Now we know why they were too busy to respond to the judge's discovery order - they were getting their website converted over to another OS (or hiding that the OS was Linux).
Curiously, the netcraft site shows they tried this for a day earlier in December and presumably had problems with the cutover. The full Netcraft report shows an interesting evolution in webservers:
unknown Apache 27-Jan-2004 216.250.128.12 NFT
Linux Apache 12-Dec-2003 216.250.128.12 NFT
unknown Apache 11-Dec-2003 216.250.128.12 NFT
Linux Apache 3-Sep-2003 216.250.128.12 NFT
Linux Apache 21-Aug-2003 216.250.140.112 NFT
Linux Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.3.2-RC 17-Jun-2003 216.250.140.112 NFT
Linux Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.0.3pl1 20-Nov-2002 216.250.140.112 NFT
Linux Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.0.3pl1 14-Aug-2002 216.250.140.125 NFT
SCO UNIX Netscape-FastTrack/2.01 13-Aug-2002 132.147.210.109 Caldera, Inc.
SCO UNIX Netscape-FastTrack/2.01 12-Aug-2002 132.147.210.109 Caldera, Inc.
From SCO to Linux? Linux running as recently as December 2003? Of course, since they own Linux, I guess this is ok...
I suspect it's the last one, unless it turns out that they couldn't interbreed. In which case we rather obviously wiped them out.
If corporations are people, aren't stockholders guilty of slavery?