Slashdot Mirror
MyDoom Windows Worm DDoSing SCO
We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.
Maybe theyll change their domain name like M$ did to bastards.sco.com instead of sco.com/bastards
SCO ought to start getting hit hard today as office workers and the like start checking their email today starting around 9 Eastern, and running the virus. It'll be interesting to see what SCO's reaction will be. Almost like the calm before the storm ;-)
I thought the worm was set to start the DDOS on February 1. So why is SCO showing a DDOS right now?
Was the February 1 thing made up? I've not yet received the virus in my email so I can't check the code for myself.
Or (I consider this more plausible) has SCO taken their own site down with the intention of blaming the "Linux terrorists", but they stupidly took it down 3 days too early.
Seems like this is Linux's ultimate weapon of mass destruction because:
1. The virus makes M$ operating systems look bad.
2. The DDoS attack goes after every Linux lover's most hated target, SCO.
But I do feel sorry for the people forced to used Windows by PHBs or who are novice users that don't know better than to run e-mailed executables.
Two wrongs don't make a right, but three lefts do.
Within a week, Darl will be equating Linux developers with virus writers - "both are called hackers and both hate me" he'll say and some 'respectable' journalists will report it as true.
1000s Warcraft Gold while you sleep
Better yet, go here and keep clicking refresh - maybe you'll be the first to see the DDoS taking place!
Life is the leading cause of death in America.
s/is/eir
Flourescent (adj): smelling like ground wheat.
...they get to give SCO a great fat middle finger
No, not all of us support actions like this against SCO. It does drag people down to their level acting like this, but in the end, frustration does that to people. Not everyone, but some.
SCO has now, for a full 12 months, made threat after threat, claim after claim, that they can't backup, but there's no way to stop them. People get frustrated by their continuous whining.
A fly buzzing around my head annoys me. Usually, I'll slap it and kill it. That's taking me down to far below its level, but it's satisfying. Given several hundred million people annoyed with SCO, I'm surprised more haven't acted this way towards them.
FFS, if you know that a worm forges the sender address, DON'T send bounces to that address. Worms are relatively easy to filter, but the crap from the virus-scanners comes in seemingly endless variations. Some even have the nerve to advertise their anti-virus solution, followed by a copy of the worm-mail, binary attachment included. Yeah right, moron, you just sent a copy of the worm to me and you expect me to buy your anti-virus product???
It's too early to call this one. Relax and pass the popcorn.
One line blog. I hear that they're called Twitters now.
...millions of people checking sco.com to see if it's still up? or...
...computers with clocks that aren't set correctly? or...
...the virus analysts misinterpreting the taskmon.exe when they decompiled it?
This is very similar to the SETI@Home project. I'd like to try it out and run it for a while. How and where do I sign up?
Well maybe they didn't write it, but Im sure there is some SCO code in it.
Seems like it's about time SCO came up with a new business model. Here's my suggestion:
FROM: Mr. Darl McBride
Santa Cruz Organisation
Lindon, Utah
Dear Sir:
I have been requested by the Santa Cruz Organisation to contact you for assistance in resolving a matter. The Santa Cruz Organisation has recently concluded a large number of dubious security trades. These pump-and-dump operations have immediately produced moneys equalling US$75,000,000. The Santa Cruz Organisation is desirous of setting up business in other parts of the world, however, because of certain regulations of the U.S. Government, it is unable to move these funds to another region.
Your assistance is requested as a non-U.S. citizen to assist the Santa Cruz Organisation in moving these funds out of the U.S. If the funds can be transferred to your name, in your Swedish account, then you can forward the funds as directed by the Santa Cruz Organisation. In exchange for your accomodating services, the Santa Cruz Organisation would agree to allow you to retain 10%, or US$7.5 million of this amount.
However, to be a legitimate transferee of these moneys according to U.S. law, you must hold at least one license for Santa Cruz Organisation Intellectual Property, which are available at a cost of US$699.
If it will be possible for you to assist us, we would be most grateful. We suggest that you meet with us in person in Lindon, and that during your visit I introduce you to the representatives of the Santa Cruz Organisation.
Please call me at your earliest convenience. Time is of the essence in this matter; very quickly the U.S. Government will realize that the Federal Reserve is maintaining this amount on deposit, and attempt to levy certain depository taxes on it.
Yours truly, etc.
Darl McBride
These sigs are more interesting tha
On the bottom of the netcraft report you can see an OS history of www.sco.com - apparently they switched from SCO UNIX to Linux in August 2002...
SCO's Information Ministry can just point to this and claim more evil Linux users are trying to destroy the software business, etc.
We're right, and we know it. No self-respecting geek would stoop to participating in a DDOS in general, not to mention one against someone/something we consider to be morally bankrupt. We know that we can only claim the moral high road only if we actually stick to the high road... right?
It would be really interesting to find out if it's just some kids behind it, who aren't aware of the difference between right and wrong, or whether it's an entity who has a vested interest in making us look bad...
Get off my launchpad!
Anyone whose computer is infected with this worm is violating our IP! You must pay $699 for a license!
Now, with a proper sed'ing
Trolling using another account since 2005.
I think the real purpose of this worm is to enable spammers to work more comfortably and safely. The attack at SCO conveniently distracts attention from this, and on to the spam-hating linux community.
xkcd is not in the sudoers file. This incident will be reported.
The people who read these AV stories do not represent the "average" user who is more inclined to fall for the worm's social engineering. Nor would they be opening the "63 connections per second" to sco.com being touted by the AV vendors for that matter. I suspect that blip is going to pale into insignificance compared to the amount of traffic they are going to get come February. It's a fair bet that SCO will be denouncing the "Linux hackers" as being the culprits in numerous press releases as well, they may be right on that, they may not, but it's sure as hell going to get them a lot of sympathy.
This isn't going to help OSS's case at all, and the only saving grace is the February 12th cut off. Then again, I've yet to see anything about what happens to the port the worm listens on come the deactivation date, or what instructions that port might accept.
UNIX? They're not even circumcised! Savages!
MyDoom Windows Worm DDoSing SCO
But it's not DDOSing now. The attack is set to begin February 1st and end on the 12th.
The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.... The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded.
I'm thinking, wow, whoever wrote this covered all the bases. He/She even got the Kazaa people.
Anyway, why don't ISPs, just for the time being, ban connections to SCO.com? It's not like it's a huge Internet portal or anything, and us geeks who actually need access to the site can just set up a mirror or something.
It does seem odd that the worm has a trigger to stop spreading on Feb 12. If SCO were to unleash a self-attacking worm, wouldn't they likely include such a provision?
--When you buy proprietary software, you don't get better software. What you get is the right to complain about it.
Note that the DDoS attack is timed to be performed between 1st and 12th Feb, 2004.
Free XBox, PS2
They deserve to have their claims refuted in a court of law, and hopefully they will have to pay damages, court costs, and issue full and public apologies, before going bankrupt. If it can be proved that they deliberately lied in these claims, they also deserve criminal charges brought against them.
Vigilanteeism, however, is just malice operating under false pretenses.
Welcome to my foes list.
Get off my launchpad!
Yes it does use outlook (the typhoid mary of the internet) to spread itself. I suggest you stick with windows as being a Linux administrator is a very lonely job. It is very much like being a Maytag repairman, nobody ever calls.
Got Code?
Anyone antisocial and misdirected enough to spend effort writing software that does damage cannot have enough of a sense of wrong and right to give a damn about the SCO case.
This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero.
Well, you stupid ignorant bastard, if you're reading this, and you probably are since you expect that the Slashdot hordes will applaud your bravery in damaging thousands of people's computers, NO ONE ADMIRES YOU. We spit on you, you're the bastard offspring of a lemming and a hamster and your mother had a beard!
With enemies like this SCO hardly needs friends. Anyone who wants to see SCO suffer for the wrongs they have done should unequivocally condemn such acts of terrorism. SCO will be broken by the weight of justice and right, not by mindless thugware.
Ceci n'est pas une signature
Great News!!
I witnessed it on the first visit!
Really though, I wanted to see if they might have added a news piece on their site regarding what was already known to be a pending attack.
I mean..they had to know right? Surely someone warned them, or does really -no one- like them. I think that's pretty likely.
And being that McBride is pushing on with the lawsuits, I would say it's safe to say that he doesn't bother reading the news...
Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.
Yes, it makes me very sad. Can someone hand me a hanky? I think I need some alone time to cry about this.
The funny thing is that the virus isn't even supposed to start the DDoS until February 1st... STOP CLICKING HERE PEOPLE!
Life is the leading cause of death in America.
I'd recommend that we on the side of Free Software study the anti-abortion tactics with dealing with such incidents. The first, and most obvious step, is one that was taken last time: immediate and honest sounding disavowel of the actions of the DOSer. Its going to get old for RMS, ESR, Linus, Perens, etc continuously getting out and saying the same thing ("We don't support this, its wrong. We're still right, but the virus writers aren't with us, etc, etc, etc"), but it needs to happen.
I honestly don't know what the other successfull tactics are. I need to study how the respectable majority in the anti-abortion movement deals with its nutbags. Can anyone think of other movements with similar problems that we should look into?
"Mission Accomplished" -- George W. Bush May 1, 2003
I never even knew that SCO owned any ships, never mind that one of them had been boarded and plundered by pirates.
This attack only helps SCO. They get sympathy. What do the worm writers get?
Sir, it is obvious you have little to no understanding of the 1337 script kiddie culture. In exchange for a DDOS attack, the worm writers get something called mad pr0pz, which is a form of honor and integrity among those in the community.
Better yet can someone send me the virus in a handy network install so I can role it out onto our corp nets?
Server Error
The following error occurred:
[code=SERVER_RESPONSE_RESET] The server response could not be read because of an error. Contact your system administrator.
Please contact the administrator.
Woo-hoo ! I DoSed the SCO server with only one finger !
In Soviet Russia, our new overlords are belong to all your base.
I think that this is a great opportunity for members of the OSS comunity to "put their money where their mouth is" so to say...
I propose that the we work on a patch for this worm and get it out there ASAP, that way only tin foil hat wearing goofballs will believe we are behind this...
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
So far, since this worm started yesterday afternoon, I have received over a thousand worm emails and erroneous bounce messages (from mail servers who think that just because my address is on the mail that means I sent it).
And I don't even use any Microsoft products.
When is somebody going to file a class-action lawsuit against Microsoft for continuing to fail to address the security holes in Windows? I mean, it's been thirteen years since Michelangelo, and still all it takes for a virus to rape Windows is for a user to double-click on an email attachment.
I'm speaking of all of you who are saying SCO deserves it (and only those people). Do I deserve to deal with this virus BS? I have enough trouble dealing with the spam at my company, now I have to deal with this too. Viruses suck, period. Especially this one, which is forging random "from" addresses. It seems to be using #randomfirstname#@domain.extention - so now on top of the dozen or so viruses an hour I'm getting, I'm also getting bounces that I can't filter because the "to" is random. Don't bother telling me to filter out executables, I already do that. As a matter of policy, I'm the one that checks the filtered "junk" to make sure there were no false positives. It's usually about 500 a day, 1200 over the weekend. Also don't bother telling me to bounce undefined addresses. Not an option. Considering how early in the game it is for this virus, the dozen or more an hour I'm getting will probably turn into a lot more. Whoever put this out there is doing far more damage to innocent bystanders than they can ever hope to do to SCO. SCO will hang themselves eventually - the author(s) of this virus is worse than anyone at SCO.
I do agree with those who are suspicious of the motives - I think the SCO attack is just a front to increase the spread. Some morons will undoubtedly put intentionally infected machines out there, which will be more effective as Spammer relays than as drones to attack SCO. Anyone intentionally letting a machine become infected should have the book thrown at them. It amazes me how stupid very intelligent people can be sometimes.
666-607: 6th floor apartment of the beast
They very easily could. The way I see it, and perhaps the way the virus writers see it, is that SCO WILL NOT STOP. They are running the company into the ground, they are losing genuine sales, they are in a public relations nightmare, staff of theirs that I know are feeling the PR pinch, and their leader is on a mission to do one thing: badmouth Linux until the day he is forced not to.
Who else releases press releases deriding competitors or about lawsuits for a year straight, with NO press releases regarding actual real products?
Their goal is spreading FUD, and while they are the SCO group and are allowed to do so, they will keep doing it. If this court case with IBM, and the one with Novell, go on for another 3 years, all through that SCO will release statement after statement to the press speaking rubbish about Linux and threatening normal users. They won't stop until they are made to.
Since the law protects them and allows them to keep making these statements, the only thing that will stop them is something like a DDoS, and that's the situation we have.
The attack on SCO is most likely just a diversion. A simple distraction from the actual goal... to turn millions of machines into zombies which can be used to conduct illegal activities (phishing scams), or can turned into email/spam relays to be sold to spammers.
It's already been established that Mydoom installs a backdoor and allows routing of tcp/ip connections to mask the identity of the originator. More or less exactly what scammers hoping to defraud ordinary people of banking details (phishing) need. Also the standard approach to turning machines into a valuable asset that can be sold to spammers in need of mail relays or "bulletproof hosting" for their websites that host the images all those spam messages reference.
Attacking SCO is a smart diversion.... especially if SCO takes the bait and publishes a flamebait press release (seems almost certain), which will of course provoke a response from the free software / open source communities. Lots of free press to help divert the anger of millions of (clueless) victims towards the very visible open source and free software people, and SCO, and away from the real criminals.
Judging from most of the comments here on Slashdot so far, it appears to be working perfectly.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Without probe of who it was that can be construed as libel, or whatever it is called in the US.
If SCO is attacked they should pursue this with the appropriate authorities. I hope the perpetrator is caught, brought to justice and fairly punished.
The OSS community should be completely unambigous about this matter, illegal means have never been supported or encouraged in order to promote the aims of OSS, not only because it is immoral but also completely unnecessary and childish.
I am appalled that the response of many around here is "SCO deserves it". No dear slashbots, nobody deserves that their resources are abussed in this manner, not even SCO. I am behind them in any action they wish to pursue against the perpetrators, but equally I hope (perhaps in vain) that they will not do false claims without the knowledge of whom and why did this.
I am also peeved that people here are not unambigious about the condemnation of this DOS attack. This is not only illegal and immoral but also counter productive and it would be nice to see complete and unambigous condemnation of these tactics.
Do you want to show OSS tactics and aims are reasonable and beneficial? A wonderfule way would be for true hackers organizing themselves and try to identify, shame and denounce the perpetrators of this (or any other) charade.
Only because people have remained silent and unwilling to help the Internet, bit by bit, little by litte, is being taken away from us, but alas, we have not protected it as it deserves.
IANAL but write like a drunk one.
The graphs that are linked to in the /. story simply illustrate that SCO's shxt keeps on crashing - which is not really suprising after Darl had to fire the network admin to feed his Lawyer habit.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Doing DDoS on SCO just makes people feel sorry for them. They do not deserve that.
Besides SCO doesn't need the internet as they hardly can expect to have any real customers left.
Nowdays their business model is based purely on litegation. To my knowledge lawsuits are delivered by hand, so a DDoS would not disturb their business at all.
God is REAL! Unless explicitly declared INTEGER
[Darl] You see the stock yesterday? Kept going down. And hard. I even heard the analysts are onto our scam.
[Bob] Yup. It's getting just plain impossible to dump this stock anymore. What do we do? We got hammered on that 'dog ate our homework' line on our court filing last week. What do you think David? You guys did a bang up job making it look like Gore won Florida when there was no way a recount would ever show that. Hell, half the country still believes that 'selected, not elected' crap.
[Boies] Well I always say, play offense, not defense. We need to get the public back on our side. Control the spin. You know, make us out to be the victim again. It plays into these schmucks capability for pity.
[Darl] I got it! What if we were being attacked by evil hackers again? (laughs)
[Boies] Bingo. What can your geeks whip up quick, Darl?
[Darl] Well they sure ain't coding operating systems and their time spent looking for code violations in Linux has been a big waste. Maybe we could put them on making some sort of johnson or trojan or something that attacks our Internet connection. Bench, you think that'd help our numbers?
[Bob] Might. What'da say Dave?
[Boies] Hell, it'd be perfect! I'd bet it'd not only turn the PR our way, but I could put that half-assed son of Hatch's to business suing Internet service providers for causing our business damage. And if we totally bomb in court with this asshole judge, we'll just claim the whole company imploded cause of the Internet hacks and sue the pants off of every provider.
[Darl] Love it! Hey, let's call it some prophetic name like SCO doom or our doom like those bozos at the church are always yacking about end of world crap. Should get them riled up too. And hey, it might just be true for SCO! To the bank, buddies!
I got a copy of this virus before I left for work this morning, saw the mail and thought "ok, I don't know them and it's got an attachment, it's a virus", opened up the zip for a look though and saw the payload.
"Fair enough, a new virus, I gotta go to work."
Flash forward 7 hours to now and I can't *believe* what a great opportunity this virus has afforded me and no doubt countless others reading.
The mailbox it was delivered to was a spamtrap, chances are spamtraps all over the world are being sent the real, legitimate IP addresses of spammers dumb enough to click malicious attachments.
Viruses are bad, DoSing SCO is bad, but god damn, all this time we've been bitching and moaning about viruses when we could have been using them on spamtrap addresses to track down spammers to their *own* internet connection.
Hey, that's my birthday!
Aw geez, you guys shouldn't have!
Any attempt to involve yourselves in this will be viewed as complicit behavior. Do not get this mess associated with Open Source developers in any way, shape, or form. The culture and purpose of worm authors and OSS developers are completely orthogonal and must remain so.
SCO has enough enemies to worry about, and they can point fingers all they want. They do not deserve an olive branch, they did not ask for one -- do not take the bait and proactively offer one. You will lose fingers.
-Hope
I just created and installed a Postfix remedy for this recent deluge, and thought I'd pass it on.
In main.cf, insert this:
body_checks=pcre:/etc/postfix/virus_body_checks
Create a file virus_body_checks containing this:
/^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.
If anyone has an improved solution, let me know, but this seems to work.