Posted by
CmdrTaco
on from the no-surprise-there dept.
quakeslut writes "It's Feb. 1st everyone... and all of you who have been reading Slashdot know that today MyDoom.A begins it's attack... according to Reuters, SCO has already been hit hard. Stay tuned for Tuesday when MyDoom.B hits Microsoft..."
How stupid do you have to be?
by
Matrix9180
·
· Score: 5, Interesting
SCO had plenty of time to prepare for this. They were well aware it was coming. I personally believe it's a publicity stunt. (which probably wouldn't surprise anybody around here).
-- 120chars for a sig is teh suck
Re:How stupid do you have to be?
by
SkArcher
·
· Score: 4, Interesting
Analysis shows that all other sites on that router ring are working properly, that the net is no slower than usual and that You can still download SCO Linux from their site.
SCO Linux includes all the SCO disputed IP under the GPL, so download it now and burn to CD - keep it on a shelf and if anyone tries to claim money show that SCO have given you a license to use the code under the GPL.
--
An infinite number of monkeys will eventually come up with the complete works of/.
Re:How stupid do you have to be?
by
mindriot
·
· Score: 4, Interesting
It might well be a publicity stunt; but it's not like they're completely unprepared, at least according to netcraft:
We had expected that SCO might take www.sco.com out of the DNS in the run up to the MyDoom DDoS payload in order to keep the denial of service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response.
That said, the sco.com hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.
Re:How stupid do you have to be?
by
GSloop
·
· Score: 2, Interesting
So instead of DDOSing the webserver, they'll DDOS their DNS provider.
Still, better than nothing I guess...
Setting it to two, four, or even sixteen minutes wouldn't have caused them to lose much flexability, and since the DDOS "client" dings them every 60 seconds (IIRC) it would have put one half, one fourth or one sixteenth as much load on DNS.
But I guess that's what you get when you got a lawyer running the IT department.
Cheers, Greg
Re:How stupid do you have to be?
by
kindbud
·
· Score: 2, Interesting
Holy Freakin' Cow! Look at this Darl-ism:
O'BRIEN: One final thought. You're talking about the ultimate hall of smoke and mirrors here. What are the chances you could be duped into giving the reward to a culprit?
MCBRIDE: Well, the way it works here, Miles, is to pay the reward out means that that person will be in jail. So I guess conceivably they could turn themselves in, go to jail, sit around with their $250,000 and get out. So I guess maybe that's the way to make money. Since you can't make money with Linux because it's free, maybe that's the new monetization system.
-- Edith Keeler Must Die
Re:I'm Doing My Part
by
real_smiff
·
· Score: 2, Interesting
i think it was a joke, unfortunately, you're right he shouldn't even have cracked the joke, because some journalists reading this will take it seriously (damn, forgot to bookmark an example a few days ago).
--
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
M$ might not be hit so hard..
by
Anonymous Coward
·
· Score: 4, Interesting
According to heise.de(in English) MyDoom.B is not nearly as widespread as the A-version. According to the article the A-version just had a good start, because it was distributed through an IRC-Botnet. So we will probably not see microsoft.com going down.
How did this virus spread so easily?
by
galaga79
·
· Score: 4, Interesting
What I don't get is how this virus spread so far, considering how hard it must to be get infected by it. You'd have to go out of your way to get infected since the spreads its self as zip compressed attachment.
I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.
Is it just a lot of stupid users or I am missing something?
Re:How did this virus spread so easily?
by
Anonymous Coward
·
· Score: 1, Interesting
Ignorance abounds around here.
This app hid itself as a variety of different names, a variety of extensions. Even if it was.zip, the OS ignored the.zip and 'knew' it was an application. These were NOT.zip.exe's or any such tricks. Even on machines NOT set to hide extensions, the.zip runs as an application.
Combined with the classic 'error' masking, and it's just a recipie for disaster. People honestly wonder why there's an email in their box that looks like they sent it and had it bounce back. Combined with the logic that a.zip file is a 'safe' one to double click, and we have the conditions used to perpetuate the virus.
At my work, one of the most computer savvy users there got wormed. Just because he wanted to see what was inside the.zip. Or it might have been a.txt (even SAFER in his mind). His machine didn't hide extensions. I know this.
Of course, the funny part is that most of the people at the same office (the less computer savvy ones) all deleted it because it was an attachment, and noone trusts attachments anymore. There's a level of LOL to that, but that's for another post.
Pure social engineering. This has always been the key to malicious computer use. Why do you think the virus that acted as a 'Windows Update' worked so damn well?
Re:How did this virus spread so easily?
by
Phil+Wherry
·
· Score: 4, Interesting
What I find particularly fascinating about all of this is the fact that this is being treated primarily as a user education issue. While it's true that a savvy user can dodge this attack completely by simply not opening the attachment in question, one might still rightly ask, "Why is it that users have to be security-savvy in order to effectively use their computers?" Many of the security problems that we see are, in fact, caused by architectural flaws.
The lack of distinction between executable files and data is the first problem. Windows differentiates between data files and programs through file naming convention; the mere construction of a filename is sufficient to get the operating system to attempt to run it if the user should happen to click on it within the GUI.
Other operating systems don't do this. Unix systems have an attribute separate from the filename that indicates that the file is executable code. This attribute (a permission bit, actually) must be set in order for the code to execute in response to a click from within the GUI (or, for that matter, in response to actions in the command-line interface). Had this worm been effective on a Unix system, it would have required that the user save the attachment as a file, modify the executable permissions for the file, then invoke the application. Most other non-Unix systems with which I've worked are similar; you have to either explicitly communicate to the operating system "run this file as a program" or somehow bless the file in order to turn it into an application.
Once the application is running, we discover the next major architectural flaw: it's possible for most users of Windows to modify the behavior of the operating system itself without realizing it. Most modern operating systems require a user to be in some sort of a privileged mode in order to install applications or otherwise change the behavior of the system. The "su" command (or, better yet, the "sudo" command) in Unix allows one to assume "superuser" privileges for this purpose. In Windows, you have to be logged in as a user with administrative rights to the computer, but there's no simple way to assume and release privileges for the purpose of installing an application. So most users (outside the most restrictive of corporate environments) use their Windows environments from a login with full administrative privileges. This is the equivalent of running one's Unix environment while logged in as "root," a practice regarded as reckless and incompetent. Unfortunately, it's very hard to get work done in Windows any other way.
As a result, malware like the MyDoom worm can take advantage of these administrative privileges in order to make itself harder to remove. It's quite common for such applications to add themselves to the list of things that run when the computer is started up. One variant of the MyDoom worm even goes so far as to damage a network configuration file in order to make it difficult for antivirus software to download updated signature files. These attacks work only because the worm is easily able to gain administrative rights to the computer. There's certainly plenty of mischief that can be perpetrated as an ordinary user, but it's quite a bit easier to prevent when the OS is off-limits. And, when bad things do happen, it's vastly easier to clean up the damage when the integrity of the operating system itself isn't in question.
So, the next time you hear the claim that a security problem is caused by a user acting stupid, consider this: is it really the case that the user is stupid, or is the real stupidity the set of architectural decisions that enable the user to make mistakes?
Re:It shouldn't have happened yet
by
Phazer4
·
· Score: 2, Interesting
I think SCO have took their site down themselves as the attack shouldn't have happened yet.
Did you even read the article? Obviously not, or you know that it explained why the attacks are happenening before 1609:
The MyDoom attack trigger was set for 1609 GMT Sunday. But with so many computer clocks incorrectly set, the infected machines began firing off data requests at SCO.com hours earlier, Hypponen said. "It will only get worse for SCO as time goes on," he added.
Thank you, come again.
--
Thank you, come again.
Is it Down or is it 'down'?
by
OverlordQ
·
· Score: 3, Interesting
www.sco.com has address 216.250.128.12
traceroute to 216.250.128.12 (216.250.128.12), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 44.788 ms 45.293 ms 45.307 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.143 ms 54.774 ms 51.355 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 54.766 ms 51.816 ms 56.265 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 56.562 ms 56.563 ms 58.236 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 58.450 ms 54.056 ms 58.734 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 231.204 ms 99.812 ms 92.647 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.997 ms 61.537 ms 77.399 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 55.789 ms 60.882 ms 57.735 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 57.992 ms 63.093 ms 58.382 ms 10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 89.096 ms 93.724 ms 93.356 ms 11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.825 ms 84.570 ms 85.701 ms 12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 109.317 ms 98.882 ms 314.447 ms 13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 104.638 ms 99.345 ms 104.216 ms 14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 100.682 ms 105.112 ms 101.775 ms 15 * * *
linuxupdate.sco.com has address 216.250.128.241
traceroute to 216.250.128.241 (216.250.128.241), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 48.151 ms 89.228 ms 47.732 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.187 ms 49.542 ms 52.654 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 53.441 ms 101.028 ms 53.714 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 319.413 ms 57.257 ms 59.600 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 57.595 ms 55.800 ms 57.578 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 61.077 ms 56.746 ms 59.109 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.587 ms 54.717 ms 59.362 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 60.098 ms 61.397 ms 58.609 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 67.524 ms 59.960 ms 71.663 ms 10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 93.370 ms 113.441 ms 92.632 ms 11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.880 ms 85.503 ms 85.974 ms 12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 98.055 ms 97.907 ms 98.232 ms 13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 99.287 ms 96.170 ms 99.050 ms 14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 101.741 ms 104.765 ms 100.452 ms 15 c7pub-216-250-136-254.center7.com (216.250.136.254) 106.771 ms 100.281 ms 105.686 ms 16 linuxupdate.sco.com (216.250.128.241) 106.443 ms 107.751 ms 105.682 ms
What I want to know is how many people infected their computers on purpose and how man just didin't remove the virus after they found it? Most prople won't do a criminal act will but ignoring somebody elses?
Actually, as a private computer techie, I've been removing MyDoom from my client's computers for the past couple of days. It really is amazing how fast it's spread...
As a Linux geek I must admit to a small snicker at SCO's misfortune here, but it is definately not the right way to go about solving the SCO problem. All publicity is *NOT* good publicity, and the last thing we need is the world to think "Linux == Geeks spreading virii". I've been taking pains to point out the spam connection with the MyDoom virus, and I think that's the angle we should persue here. I can only hope that the next looser who DOSes SCO gives us as easy an "its not us" angle.
-- "Mission Accomplished" -- George W. Bush May 1, 2003
Re:Why today...
by
Pharmboy
·
· Score: 5, Interesting
Sunday isn't even a business day? How much money will they not lose?
There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.
I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales;) Then again, they will blame the Linux community for this, even though its soley from a bunch of owned Windows boxes. This is akin to blaming Smith and Wesson for injuries to the neighbors when you fire your gun in random directions.
-- Tequila: It's not just for breakfast anymore!
Re:Why today...
by
muffen
·
· Score: 3, Interesting
Sunday isn't even a business day? How much money will they not lose?
...are you saying they would loose money if it was a business day?
Well, I guess they have received "linux-fees" from 12 linux users so far... so if the DoS attack keeps the website down for a week, they might loose like USD 600 (or whatever the fee was).
The person who wrote the worm is not very good anyways... only 25% of infected machines will perform the DoS attack (see the virus information page for McAfee and Symantec).
Anyways, they are counting that there's about 1Million infected machines, and if 25% of those do the DoS attack, it's 250 000 machines.. which would still be the largest DDoS attack in history so far.
One thing I don't understand is why the DNS entry hasn't been removed for www.sco.com. I mean, they have no chance in hell of stopping this thing, and keeping the DNS entry intact causes a slowdown on a lot more things than just SCO's webserver.
I guess it's just a matter of time until www.sco.com is pointing to www.slashdot.org:)
Microsoft's great feature, put there expecially for virus writers' social engineering attacks (well, there is no other real use).
Look inside those.zip files and you see abcdef.txt.exe (or.pif), etc.
Muggins end user opens what (s)he's been tricked into thinking is a.txt file.
Boom.
If Microsoft is at all serious about security they'd issue a patch for all their operating systems disabling this "feature" for all time.
Re:Why today...
by
Jim+Hall
·
· Score: 2, Interesting
Oh, hi andy. Yes, this is what we refer to as an "off by one" error. The attack is scheduled Feb 1 (Sun) through Feb 12 (Thu). That's off by one. Feb 2-13 would have gotten you two full business weeks.
Bad programmer. Go sit by your dish.
The virus is spread by UNIX
by
Anonymous Coward
·
· Score: 4, Interesting
Some guy on winnetmag obviously thinks they should be offline, they must have brought it upon themselves, as he seems to think the virus is the fault of UNIX. he says that "A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor."
sheesh where do they get these people
Terrible Reuters Article
by
Snowspinner
·
· Score: 2, Interesting
I'm not sure which quote from the article I think is worse - referring to it as the "so-called 'open source' movement, or refering to infected computers as an "army of zombie PCs."
Either way, wow. What a terrible article.
Anyway, it should be easy to distance the open source community from this virus - it's not as though the writer of it released the source or anything, or put it out under the GPL.
Though there would be something dryly amusing if he had.
Of course, deliberately allowing the DDOS attack to work has the convenient side effect of denying access to all of the damaging evidence on their website revealed in yesterday's groklaw article. Maybe that's why they have decided not to take the simple steps necessary to prevent the attack.
The cynic in me wonders if when the website comes back up, SCO is going to claim that "certain web pages" were destroyed by the attack.
"
Title: SCO Says Worm Hasn't Hit Yet; ISPs Are Blocking Them...Right. That's the Ticket.
Author: PJ
Date: Sunday, February 01 2004 @ 02:02 AM EST
The latest from Lindon is that Blake Stowell said on Saturday that MyDoom hadn't hit them yet. The reason they were not reachable was because ISPs have been blocking them. Huh? What about all those interviews? They told the world for days and the SEC in an official filing that MyDoom had hit them already.
Somebody must have finally told SCO that MyDoom was timed for today.Woops.
So now the story is that it's ISPs that are blocking their site, and of course no one in the media remembers what Darl and Co. said just a day or two ago, so of course there are no followup questions. They just print whatever SCO tells them: "US software maker SCO, target of the Mydoom computer virus, said Internet access providers had hobbled its website, fearing infection by what may be the fastest-growing worm ever. "'There are Internet service providers around the world who are blocking access to SCO,' company spokesman Blake Stowell said, adding it was because they believe they !"
OK everybody, lets start jumping to conclusions!
-- C|N>K
Re:Why today...
by
gmac63
·
· Score: 2, Interesting
Sunday isn't even a business day? How much money will they not lose?
They won't lose a cent, but the CTO and his staff will be missing the Panthers win today!
--
INSERT INTO comment VALUE('Doh!') WHERE user='you';
I wonder how much Kazaa has to do with this
by
RodeoBoy
·
· Score: 2, Interesting
In my experience I see more viruses on machines that also have some sort of P2P or Aim software installed. This virus was putting a copy in the users Kazaa share. There is huge issues with this stuff, but the media continues just to talk about email.
internet exchange statistics
by
mtenhagen
·
· Score: 2, Interesting
I've been looking at the traffic statistics of some european internet exchanges and none of them seem to have more traffic then usual.
The 2 reasons I can think of:
1) There is no extra traffic. (maybe a little)
2) All traffic goes thru transit providers (cause it should go to U.S.)
If there are over 200.000 machines infected by MyDoom there should be noticable extra traffic.
Re:Why today...
by
pherris
·
· Score: 4, Interesting
Speaking of FUD... Is there a way to tell if it's actually DoS'd, or if they shut it down themselves??
www.sco.com has been pulled from their dns records. Their whois info shows four dns servers: ns.calderasystems.com, ns2.calderasystems.com, c7ns1.center7.com and nsca.sco.com. IFAIK ns.sco.com, ns1.sco.com and ns2.sco.com use to be their DNSs of record. I ran a quick check of www.sco.com on all seven servers and found it had been removed. Since their is no ip number for that name sco never sees the http request.
I personally would've changed it to lo (127.0.0.1) so at least other dns servers would cache the first request (and serve out copies without checking) thus taking avoiding a lot of those hits to their dns servers everytime MYDOOM makes it's request. Even with their current setup they should avoid most of the force of MYDOOM (unless it attacks a range of active names and/or numbers).
The better solution if they want to keep their web server alive is to channel all requests to another web server with a thin pipe (say a T1) right off a backbone that reads the http client header, discards the MYDOOM requests (also with some real ones) and forwards everyone else to their real http server (say www2.sco.com). This could greatly minimize MYDOOM's damage, changing the a hurricane into a rain shower.
On the other hand doing it their way allows them to more easily cry "poor [sco]", claim this attack completely shut them down, have a record of exactly how many attacks they're getting and claim they lost business (like they had any anyways). This whole attack has "script kiddie" written all over it. If the author lives in the US there's a fair chance they'll catch him, and then he's SOL. In my opinion MYDOOM discredits the gnu/linux community. sco sucks but this isn't the way. An opinion shared by most in our community.
-- "And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
FAKE attack?
by
SparkMan
·
· Score: 3, Interesting
Not sure what's going on here but:
C:\>ping www.sco.com Unknown host www.sco.com.
C:\>ping www2.sco.com
Pinging www2.sco.com [216.250.128.33] with 32 bytes of data:
Reply from 216.250.128.33: bytes=32 time=71ms TTL=49 Reply from 216.250.128.33: bytes=32 time=69ms TTL=49 Reply from 216.250.128.33: bytes=32 time=69ms TTL=49 Reply from 216.250.128.33: bytes=32 time=68ms TTL=49
Ping statistics for 216.250.128.33:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 68ms, Maximum = 71ms, Average = 69ms
The first ping, the "Unknown host" failure, is NOT a DoS failure. It means their www.sco.com DNS record has been removed from the public database so that nobody can lookup the IP address anymore. You can try to ping (or load the web page) all you want but your computer is doing nothing because it doesn't know what IP address to go for.
The second ping, the success, works great. If www2.sco.com is on the same physical connection that www.sco.com normally is on, then this demonstrates that their network connection is not currently encountering any significant attack.
--
-- laws are the opinions of politicians --
Re:Why today...
by
Reziac
·
· Score: 4, Interesting
Thanks for the info, saved in my evergrowing "SCOpera" files:)
I looked at MyDoom's innards, and it struck me as odd, not typical script-kiddie material at all. I got the sense it was the work of someone whose programming work had *not* previously included this sort of thing. So I'm inclined to agree with the speculation that it's primarily a spammer's zombie-generating tool, built by contract with some starving professional coder, and that the SCO and M$ DoS components are red herrings.
As you say, SC0-baiting is great fun, but illegal attacks do nothing for the case against them (tho they seem to be using it to further their own case *against* themselves, judging by the "time travel" element that Groklaw pointed out) and just make us look bad. SCO is perfectly capable of cutting their own throats without "help".
Slashdot Mirror
SCO had plenty of time to prepare for this. They were well aware it was coming. I personally believe it's a publicity stunt. (which probably wouldn't surprise anybody around here).
120chars for a sig is teh suck
i think it was a joke, unfortunately, you're right he shouldn't even have cracked the joke, because some journalists reading this will take it seriously (damn, forgot to bookmark an example a few days ago).
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
According to heise.de(in English) MyDoom.B is not nearly as widespread as the A-version. According to the article the A-version just had a good start, because it was distributed through an IRC-Botnet. So we will probably not see microsoft.com going down.
What I don't get is how this virus spread so far, considering how hard it must to be get infected by it. You'd have to go out of your way to get infected since the spreads its self as zip compressed attachment.
I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.
Is it just a lot of stupid users or I am missing something?
aus.music.scrapbook
I think SCO have took their site down themselves as the attack shouldn't have happened yet.
Did you even read the article? Obviously not, or you know that it explained why the attacks are happenening before 1609:
The MyDoom attack trigger was set for 1609 GMT Sunday. But with so many computer clocks incorrectly set, the infected machines began firing off data requests at SCO.com hours earlier, Hypponen said. "It will only get worse for SCO as time goes on," he added.
Thank you, come again.
Thank you, come again.
www.sco.com has address 216.250.128.12
traceroute to 216.250.128.12 (216.250.128.12), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 44.788 ms 45.293 ms 45.307 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.143 ms 54.774 ms 51.355 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 54.766 ms 51.816 ms 56.265 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 56.562 ms 56.563 ms 58.236 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 58.450 ms 54.056 ms 58.734 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 231.204 ms 99.812 ms 92.647 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.997 ms 61.537 ms 77.399 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 55.789 ms 60.882 ms 57.735 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 57.992 ms 63.093 ms 58.382 ms
10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 89.096 ms 93.724 ms 93.356 ms
11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.825 ms 84.570 ms 85.701 ms
12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 109.317 ms 98.882 ms 314.447 ms
13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 104.638 ms 99.345 ms 104.216 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 100.682 ms 105.112 ms 101.775 ms
15 * * *
linuxupdate.sco.com has address 216.250.128.241
traceroute to 216.250.128.241 (216.250.128.241), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 48.151 ms 89.228 ms 47.732 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.187 ms 49.542 ms 52.654 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 53.441 ms 101.028 ms 53.714 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 319.413 ms 57.257 ms 59.600 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 57.595 ms 55.800 ms 57.578 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 61.077 ms 56.746 ms 59.109 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.587 ms 54.717 ms 59.362 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 60.098 ms 61.397 ms 58.609 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 67.524 ms 59.960 ms 71.663 ms
10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 93.370 ms 113.441 ms 92.632 ms
11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.880 ms 85.503 ms 85.974 ms
12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 98.055 ms 97.907 ms 98.232 ms
13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 99.287 ms 96.170 ms 99.050 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 101.741 ms 104.765 ms 100.452 ms
15 c7pub-216-250-136-254.center7.com (216.250.136.254) 106.771 ms 100.281 ms 105.686 ms
16 linuxupdate.sco.com (216.250.128.241) 106.443 ms 107.751 ms 105.682 ms
Your hair look like poop, Bob! - Wanker.
As a Linux geek I must admit to a small snicker at SCO's misfortune here, but it is definately not the right way to go about solving the SCO problem. All publicity is *NOT* good publicity, and the last thing we need is the world to think "Linux == Geeks spreading virii". I've been taking pains to point out the spam connection with the MyDoom virus, and I think that's the angle we should persue here. I can only hope that the next looser who DOSes SCO gives us as easy an "its not us" angle.
"Mission Accomplished" -- George W. Bush May 1, 2003
Sunday isn't even a business day? How much money will they not lose?
;) Then again, they will blame the Linux community for this, even though its soley from a bunch of owned Windows boxes. This is akin to blaming Smith and Wesson for injuries to the neighbors when you fire your gun in random directions.
There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.
I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales
Tequila: It's not just for breakfast anymore!
Sunday isn't even a business day? How much money will they not lose?
...are you saying they would loose money if it was a business day?
:)
Well, I guess they have received "linux-fees" from 12 linux users so far... so if the DoS attack keeps the website down for a week, they might loose like USD 600 (or whatever the fee was).
The person who wrote the worm is not very good anyways... only 25% of infected machines will perform the DoS attack (see the virus information page for McAfee and Symantec).
Anyways, they are counting that there's about 1Million infected machines, and if 25% of those do the DoS attack, it's 250 000 machines.. which would still be the largest DDoS attack in history so far.
One thing I don't understand is why the DNS entry hasn't been removed for www.sco.com. I mean, they have no chance in hell of stopping this thing, and keeping the DNS entry intact causes a slowdown on a lot more things than just SCO's webserver.
I guess it's just a matter of time until www.sco.com is pointing to www.slashdot.org
I think a lot of folks have mixed feelings on this on.
"It is a greater offense to steal men's labor, than their clothes"
Microsoft's great feature, put there expecially for virus writers' social engineering attacks (well, there is no other real use).
.zip files and you see abcdef.txt.exe (or .pif), etc.
.txt file.
Look inside those
Muggins end user opens what (s)he's been tricked into thinking is a
Boom.
If Microsoft is at all serious about security they'd issue a patch for all their operating systems disabling this "feature" for all time.
Oh, hi andy. Yes, this is what we refer to as an "off by one" error. The attack is scheduled Feb 1 (Sun) through Feb 12 (Thu). That's off by one. Feb 2-13 would have gotten you two full business weeks.
Bad programmer. Go sit by your dish.
Some guy on winnetmag obviously thinks they should be offline, they must have brought it upon themselves, as he seems to think the virus is the fault of UNIX. he says that "A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor."
sheesh where do they get these people
I'm not sure which quote from the article I think is worse - referring to it as the "so-called 'open source' movement, or refering to infected computers as an "army of zombie PCs."
Either way, wow. What a terrible article.
Anyway, it should be easy to distance the open source community from this virus - it's not as though the writer of it released the source or anything, or put it out under the GPL.
Though there would be something dryly amusing if he had.
Philip Sandifer's academic website
Of course, deliberately allowing the DDOS attack to work has the convenient side effect of denying access to all of the damaging evidence on their website revealed in yesterday's groklaw article. Maybe that's why they have decided not to take the simple steps necessary to prevent the attack.
The cynic in me wonders if when the website comes back up, SCO is going to claim that "certain web pages" were destroyed by the attack.
" Title: SCO Says Worm Hasn't Hit Yet; ISPs Are Blocking Them...Right. That's the Ticket.
Author: PJ
Date: Sunday, February 01 2004 @ 02:02 AM EST
The latest from Lindon is that Blake Stowell said on Saturday that MyDoom hadn't hit them yet. The reason they were not reachable was because ISPs have been blocking them. Huh? What about all those interviews? They told the world for days and the SEC in an official filing that MyDoom had hit them already.
Somebody must have finally told SCO that MyDoom was timed for today.Woops.
So now the story is that it's ISPs that are blocking their site, and of course no one in the media remembers what Darl and Co. said just a day or two ago, so of course there are no followup questions. They just print whatever SCO tells them: "US software maker SCO, target of the Mydoom computer virus, said Internet access providers had hobbled its website, fearing infection by what may be the fastest-growing worm ever. "'There are Internet service providers around the world who are blocking access to SCO,' company spokesman Blake Stowell said, adding it was because they believe they !"
OK everybody, lets start jumping to conclusions!
C|N>K
They won't lose a cent, but the CTO and his staff will be missing the Panthers win today!
INSERT INTO comment VALUE('Doh!') WHERE user='you';
In my experience I see more viruses on machines that also have some sort of P2P or Aim software installed. This virus was putting a copy in the users Kazaa share. There is huge issues with this stuff, but the media continues just to talk about email.
I've been looking at the traffic statistics of some european internet exchanges and none of them seem to have more traffic then usual.
The 2 reasons I can think of:
1) There is no extra traffic. (maybe a little)
2) All traffic goes thru transit providers (cause it should go to U.S.)
If there are over 200.000 machines infected by MyDoom there should be noticable extra traffic.
References
Amsterdam
London
Brussel
Paris
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
Is version as wide spread as version A? What, if anything, is Microsoft doing to prepare for the coming DOS attack?
You say things that offend me and I can deal with it. Can you?
Pretty sure its real... :p
"Sic Semper Tyrannosaurus Rex."
www.sco.com has been pulled from their dns records. Their whois info shows four dns servers: ns.calderasystems.com, ns2.calderasystems.com, c7ns1.center7.com and nsca.sco.com. IFAIK ns.sco.com, ns1.sco.com and ns2.sco.com use to be their DNSs of record. I ran a quick check of www.sco.com on all seven servers and found it had been removed. Since their is no ip number for that name sco never sees the http request.
I personally would've changed it to lo (127.0.0.1) so at least other dns servers would cache the first request (and serve out copies without checking) thus taking avoiding a lot of those hits to their dns servers everytime MYDOOM makes it's request. Even with their current setup they should avoid most of the force of MYDOOM (unless it attacks a range of active names and/or numbers).
The better solution if they want to keep their web server alive is to channel all requests to another web server with a thin pipe (say a T1) right off a backbone that reads the http client header, discards the MYDOOM requests (also with some real ones) and forwards everyone else to their real http server (say www2.sco.com). This could greatly minimize MYDOOM's damage, changing the a hurricane into a rain shower.
On the other hand doing it their way allows them to more easily cry "poor [sco]", claim this attack completely shut them down, have a record of exactly how many attacks they're getting and claim they lost business (like they had any anyways). This whole attack has "script kiddie" written all over it. If the author lives in the US there's a fair chance they'll catch him, and then he's SOL. In my opinion MYDOOM discredits the gnu/linux community. sco sucks but this isn't the way. An opinion shared by most in our community.
"And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
Not sure what's going on here but:
C:\>ping www.sco.com
Unknown host www.sco.com.
C:\>ping www2.sco.com
Pinging www2.sco.com [216.250.128.33] with 32 bytes of data:
Reply from 216.250.128.33: bytes=32 time=71ms TTL=49
Reply from 216.250.128.33: bytes=32 time=69ms TTL=49
Reply from 216.250.128.33: bytes=32 time=69ms TTL=49
Reply from 216.250.128.33: bytes=32 time=68ms TTL=49
Ping statistics for 216.250.128.33:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 68ms, Maximum = 71ms, Average = 69ms
The first ping, the "Unknown host" failure, is NOT a DoS failure. It means their www.sco.com DNS record has been removed from the public database so that nobody can lookup the IP address anymore. You can try to ping (or load the web page) all you want but your computer is doing nothing because it doesn't know what IP address to go for.
The second ping, the success, works great. If www2.sco.com is on the same physical connection that www.sco.com normally is on, then this demonstrates that their network connection is not currently encountering any significant attack.
-- laws are the opinions of politicians --
Thanks for the info, saved in my evergrowing "SCOpera" files :)
I looked at MyDoom's innards, and it struck me as odd, not typical script-kiddie material at all. I got the sense it was the work of someone whose programming work had *not* previously included this sort of thing. So I'm inclined to agree with the speculation that it's primarily a spammer's zombie-generating tool, built by contract with some starving professional coder, and that the SCO and M$ DoS components are red herrings.
As you say, SC0-baiting is great fun, but illegal attacks do nothing for the case against them (tho they seem to be using it to further their own case *against* themselves, judging by the "time travel" element that Groklaw pointed out) and just make us look bad. SCO is perfectly capable of cutting their own throats without "help".
~REZ~ #43301. Who'd fake being me anyway?