MyDoom Windows Worm DDoSing SCO

We mentioned the myDoom Worm just a few hours ago, but more information is available now, mainly that its ultimate goal is apparently to DDoS SCO. You can see some more detail at NetCraft. Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.

Change domain

Maybe theyll change their domain name like M$ did to bastards.sco.com instead of sco.com/bastards

Workers

[turtlexit]

SCO ought to start getting hit hard today as office workers and the like start checking their email today starting around 9 Eastern, and running the virus. It'll be interesting to see what SCO's reaction will be. Almost like the calm before the storm ;-)

This stinks - easy PR for SCO

[Captain+Kirk]

Within a week, Darl will be equating Linux developers with virus writers - "both are called hackers and both hate me" he'll say and some 'respectable' journalists will report it as true.

Re:I never thought I'd say this...

[swordboy]

Better yet, go here and keep clicking refresh - maybe you'll be the first to see the DDoS taking place!

ed

[ballpoint]

but it's always sad to watch someone stoop to this level

s/is/eir

Damn those ignorant anti-virus idiots!

FFS, if you know that a worm forges the sender address, DON'T send bounces to that address. Worms are relatively easy to filter, but the crap from the virus-scanners comes in seemingly endless variations. Some even have the nerve to advertise their anti-virus solution, followed by a copy of the worm-mail, binary attachment included. Yeah right, moron, you just sent a copy of the worm to me and you expect me to buy your anti-virus product???

Maybe, maybe not

[AndroidCat]

It's still unclear what the real goal of this worm is. While it does DDoS SCO, it also installs a proxy that can be used by spammers. Long after sco.com is smoking rubble, this will probably be relaying Make P3n1s Fast! spam.

It's too early to call this one. Relax and pass the popcorn.

Not so different from SETI?

[orty78]

This is very similar to the SETI@Home project. I'd like to try it out and run it for a while. How and where do I sign up?

Re:SCO probably wrote it

[Simon+Lyngshede]

Well maybe they didn't write it, but Im sure there is some SCO code in it.

Re:Something Doesn't Add Up

[T-Punkt]

I asked that myself.

Could be some PCs with badly set clocks. Well, you know those windows users, they don't set their system clocks, have 00:00 blinking on their VCRs, use outlook and click on every fscking single attachements that made it into their mailbox.

Funny, I think:

[cockroach2]

On the bottom of the netcraft report you can see an OS history of www.sco.com - apparently they switched from SCO UNIX to Linux in August 2002...

This injures our reps, not SCO's

[Artifex]

SCO's Information Ministry can just point to this and claim more evil Linux users are trying to destroy the software business, etc.

We're right, and we know it. No self-respecting geek would stoop to participating in a DDOS in general, not to mention one against someone/something we consider to be morally bankrupt. We know that we can only claim the moral high road only if we actually stick to the high road... right?

It would be really interesting to find out if it's just some kids behind it, who aren't aware of the difference between right and wrong, or whether it's an entity who has a vested interest in making us look bad...

Re:SCO probably wrote it

[jimicus]

Anyone whose computer is infected with this worm is violating our IP! You must pay $699 for a license!

Re:Something Doesn't Add Up

[crawling_chaos]

I got into the office this morning to find 550 unread messages, mostly copies of this, or messages saying that copies I had supposedly sent hadn't been delivered.

Preach on, brother. I wish some sysadmins would get a clue and realize that with viruses spoofing the From: address, there is no fscking point in sending the "you sent me a virus" panic mail. All it does is bother the wrong people.

Re:Killing two ugly birds with one stone

[ArseneLupin]

Seems like this is Linux's ultimate weapon of mass destruction because:

Didn't you get it? There are no weapons of mass destruction! It was all made up by Darl and his cronies!

So sad

[Pedrito]

Obviously SCO has a lot of enemies out there right now, but it's always sad to watch someone stoop to this level.

Yes, it makes me very sad. Can someone hand me a hanky? I think I need some alone time to cry about this.

Re:But, damn it!

[gaijin99]

This is going to be a serious blow to the moral credibility of the OSS community, not just Linux users.

It is only a threat to our credibility if we allow it to be. I'm *REALLY* not trying to derail into an abortion debate here, but its the best example I can think of. The anti-abortion movement, in general, doesn't support clinic bombers and assissins; but clinics still get bombed and doctors still get murdered. So far the anti-abortion movement has quite successfully managed to avoid the actions of this group becoming a blow to their own moral credibility.

I'd recommend that we on the side of Free Software study the anti-abortion tactics with dealing with such incidents. The first, and most obvious step, is one that was taken last time: immediate and honest sounding disavowel of the actions of the DOSer. Its going to get old for RMS, ESR, Linus, Perens, etc continuously getting out and saying the same thing ("We don't support this, its wrong. We're still right, but the virus writers aren't with us, etc, etc, etc"), but it needs to happen.

I honestly don't know what the other successfull tactics are. I need to study how the respectable majority in the anti-abortion movement deals with its nutbags. Can anyone think of other movements with similar problems that we should look into?

Pirates?

[Aldric]

I never even knew that SCO owned any ships, never mind that one of them had been boarded and plundered by pirates.

W00t ! I did it !

[o'reor]

After a few clicks I got this :

Server Error

The following error occurred:
[code=SERVER_RESPONSE_RESET] The server response could not be read because of an error. Contact your system administrator.

Please contact the administrator.

Woo-hoo ! I DoSed the SCO server with only one finger !

Re:W00t ! I did it !

Dear Sir or Madam,

your Internet Protocol number has been logged for legal purposes in accordance with our efforts to reduce the increasing amount of abusive usage of this site's functionality and to comply with the Rules Of Governance In Electronic Media as required by Californian law.

We are to inform you of the legal steps taken against the holder of mentioned number, which we hereby do.

Please refer to the Bureau Of The Attorney Of Los Angeles (CA) county to request your case number, as this message is generated electronically and we have no means to determine the case number at this moment.

Thank you.

Re:This is not one of SCO's enemies...

[pjrc]

This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero.

Or someone who doesn't give a damn about SCO, and merely wants to distract attention away from their real goal of turning millions of end-user PCs into zombies to do their future bidding.

Hmmm... who would be interested in that <cough> spammers <cough> and has an established history of it?

You guys are amazing...

[tbase]

I'm speaking of all of you who are saying SCO deserves it (and only those people). Do I deserve to deal with this virus BS? I have enough trouble dealing with the spam at my company, now I have to deal with this too. Viruses suck, period. Especially this one, which is forging random "from" addresses. It seems to be using #randomfirstname#@domain.extention - so now on top of the dozen or so viruses an hour I'm getting, I'm also getting bounces that I can't filter because the "to" is random. Don't bother telling me to filter out executables, I already do that. As a matter of policy, I'm the one that checks the filtered "junk" to make sure there were no false positives. It's usually about 500 a day, 1200 over the weekend. Also don't bother telling me to bounce undefined addresses. Not an option. Considering how early in the game it is for this virus, the dozen or more an hour I'm getting will probably turn into a lot more. Whoever put this out there is doing far more damage to innocent bystanders than they can ever hope to do to SCO. SCO will hang themselves eventually - the author(s) of this virus is worse than anyone at SCO.

I do agree with those who are suspicious of the motives - I think the SCO attack is just a front to increase the spread. Some morons will undoubtedly put intentionally infected machines out there, which will be more effective as Spammer relays than as drones to attack SCO. Anyone intentionally letting a machine become infected should have the book thrown at them. It amazes me how stupid very intelligent people can be sometimes.

Re:SCO probably wrote it

[pjrc]

Since Mydoom has been identified as a variant of Mimail, which is largely believe to have been written on behalf of spammers and/or paypal scammers (apparantly in Russia), the most likely scenario is that the same group created Mydoom.

The attack on SCO is most likely just a diversion. A simple distraction from the actual goal... to turn millions of machines into zombies which can be used to conduct illegal activities (phishing scams), or can turned into email/spam relays to be sold to spammers.

It's already been established that Mydoom installs a backdoor and allows routing of tcp/ip connections to mask the identity of the originator. More or less exactly what scammers hoping to defraud ordinary people of banking details (phishing) need. Also the standard approach to turning machines into a valuable asset that can be sold to spammers in need of mail relays or "bulletproof hosting" for their websites that host the images all those spam messages reference.

Attacking SCO is a smart diversion.... especially if SCO takes the bait and publishes a flamebait press release (seems almost certain), which will of course provoke a response from the free software / open source communities. Lots of free press to help divert the anger of millions of (clueless) victims towards the very visible open source and free software people, and SCO, and away from the real criminals.

Judging from most of the comments here on Slashdot so far, it appears to be working perfectly.

Re:Something Doesn't Add Up

[mattdm]

I wish some sysadmins would get a clue and realize that with viruses spoofing the From: address, there is no fscking point in sending the "you sent me a virus" panic mail.

I've been trying to complain to admins about this ever since Klez. You wouldn't believe the abuse I've gotten back -- and I've been very polite and nice. Generally, sites feel that it's adequate to add the newly found spoofing viruses to a don't-mail-notices blacklist after it's "realized" that yet another one can't be trusted. GET A CLUE, people -- you can't trust *viruses* at all.

The *real* problem is the antivirus software -- notices should only be sent for "known honest" viruses -- if at all. There should be *no* option to send these notices by default. But the antivirus companies *love* this -- they get to send out *millions* of advertisements for the effectiveness of their product, and no one is allowed to call it spam -- even though it *is*.

Re:I never thought I'd say this...

[falzer]

Hey, that's my birthday!

Aw geez, you guys shouldn't have!