Posted by
CmdrTaco
on from the no-surprise-there dept.
quakeslut writes "It's Feb. 1st everyone... and all of you who have been reading Slashdot know that today MyDoom.A begins it's attack... according to Reuters, SCO has already been hit hard. Stay tuned for Tuesday when MyDoom.B hits Microsoft..."
How stupid do you have to be?
by
Matrix9180
·
· Score: 5, Interesting
SCO had plenty of time to prepare for this. They were well aware it was coming. I personally believe it's a publicity stunt. (which probably wouldn't surprise anybody around here).
-- 120chars for a sig is teh suck
Re:How stupid do you have to be?
by
SkArcher
·
· Score: 4, Interesting
Analysis shows that all other sites on that router ring are working properly, that the net is no slower than usual and that You can still download SCO Linux from their site.
SCO Linux includes all the SCO disputed IP under the GPL, so download it now and burn to CD - keep it on a shelf and if anyone tries to claim money show that SCO have given you a license to use the code under the GPL.
--
An infinite number of monkeys will eventually come up with the complete works of/.
Re:How stupid do you have to be?
by
mindriot
·
· Score: 4, Interesting
It might well be a publicity stunt; but it's not like they're completely unprepared, at least according to netcraft:
We had expected that SCO might take www.sco.com out of the DNS in the run up to the MyDoom DDoS payload in order to keep the denial of service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response.
That said, the sco.com hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.
M$ might not be hit so hard..
by
Anonymous Coward
·
· Score: 4, Interesting
According to heise.de(in English) MyDoom.B is not nearly as widespread as the A-version. According to the article the A-version just had a good start, because it was distributed through an IRC-Botnet. So we will probably not see microsoft.com going down.
How did this virus spread so easily?
by
galaga79
·
· Score: 4, Interesting
What I don't get is how this virus spread so far, considering how hard it must to be get infected by it. You'd have to go out of your way to get infected since the spreads its self as zip compressed attachment.
I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.
Is it just a lot of stupid users or I am missing something?
Re:How did this virus spread so easily?
by
Phil+Wherry
·
· Score: 4, Interesting
What I find particularly fascinating about all of this is the fact that this is being treated primarily as a user education issue. While it's true that a savvy user can dodge this attack completely by simply not opening the attachment in question, one might still rightly ask, "Why is it that users have to be security-savvy in order to effectively use their computers?" Many of the security problems that we see are, in fact, caused by architectural flaws.
The lack of distinction between executable files and data is the first problem. Windows differentiates between data files and programs through file naming convention; the mere construction of a filename is sufficient to get the operating system to attempt to run it if the user should happen to click on it within the GUI.
Other operating systems don't do this. Unix systems have an attribute separate from the filename that indicates that the file is executable code. This attribute (a permission bit, actually) must be set in order for the code to execute in response to a click from within the GUI (or, for that matter, in response to actions in the command-line interface). Had this worm been effective on a Unix system, it would have required that the user save the attachment as a file, modify the executable permissions for the file, then invoke the application. Most other non-Unix systems with which I've worked are similar; you have to either explicitly communicate to the operating system "run this file as a program" or somehow bless the file in order to turn it into an application.
Once the application is running, we discover the next major architectural flaw: it's possible for most users of Windows to modify the behavior of the operating system itself without realizing it. Most modern operating systems require a user to be in some sort of a privileged mode in order to install applications or otherwise change the behavior of the system. The "su" command (or, better yet, the "sudo" command) in Unix allows one to assume "superuser" privileges for this purpose. In Windows, you have to be logged in as a user with administrative rights to the computer, but there's no simple way to assume and release privileges for the purpose of installing an application. So most users (outside the most restrictive of corporate environments) use their Windows environments from a login with full administrative privileges. This is the equivalent of running one's Unix environment while logged in as "root," a practice regarded as reckless and incompetent. Unfortunately, it's very hard to get work done in Windows any other way.
As a result, malware like the MyDoom worm can take advantage of these administrative privileges in order to make itself harder to remove. It's quite common for such applications to add themselves to the list of things that run when the computer is started up. One variant of the MyDoom worm even goes so far as to damage a network configuration file in order to make it difficult for antivirus software to download updated signature files. These attacks work only because the worm is easily able to gain administrative rights to the computer. There's certainly plenty of mischief that can be perpetrated as an ordinary user, but it's quite a bit easier to prevent when the OS is off-limits. And, when bad things do happen, it's vastly easier to clean up the damage when the integrity of the operating system itself isn't in question.
So, the next time you hear the claim that a security problem is caused by a user acting stupid, consider this: is it really the case that the user is stupid, or is the real stupidity the set of architectural decisions that enable the user to make mistakes?
What I want to know is how many people infected their computers on purpose and how man just didin't remove the virus after they found it? Most prople won't do a criminal act will but ignoring somebody elses?
Actually, as a private computer techie, I've been removing MyDoom from my client's computers for the past couple of days. It really is amazing how fast it's spread...
As a Linux geek I must admit to a small snicker at SCO's misfortune here, but it is definately not the right way to go about solving the SCO problem. All publicity is *NOT* good publicity, and the last thing we need is the world to think "Linux == Geeks spreading virii". I've been taking pains to point out the spam connection with the MyDoom virus, and I think that's the angle we should persue here. I can only hope that the next looser who DOSes SCO gives us as easy an "its not us" angle.
-- "Mission Accomplished" -- George W. Bush May 1, 2003
Re:Why today...
by
Pharmboy
·
· Score: 5, Interesting
Sunday isn't even a business day? How much money will they not lose?
There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.
I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales;) Then again, they will blame the Linux community for this, even though its soley from a bunch of owned Windows boxes. This is akin to blaming Smith and Wesson for injuries to the neighbors when you fire your gun in random directions.
I think a lot of folks have mixed feelings on this on.
-- "It is a greater offense to steal men's labor, than their clothes"
The virus is spread by UNIX
by
Anonymous Coward
·
· Score: 4, Interesting
Some guy on winnetmag obviously thinks they should be offline, they must have brought it upon themselves, as he seems to think the virus is the fault of UNIX. he says that "A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor."
sheesh where do they get these people
Re:Why today...
by
pherris
·
· Score: 4, Interesting
Speaking of FUD... Is there a way to tell if it's actually DoS'd, or if they shut it down themselves??
www.sco.com has been pulled from their dns records. Their whois info shows four dns servers: ns.calderasystems.com, ns2.calderasystems.com, c7ns1.center7.com and nsca.sco.com. IFAIK ns.sco.com, ns1.sco.com and ns2.sco.com use to be their DNSs of record. I ran a quick check of www.sco.com on all seven servers and found it had been removed. Since their is no ip number for that name sco never sees the http request.
I personally would've changed it to lo (127.0.0.1) so at least other dns servers would cache the first request (and serve out copies without checking) thus taking avoiding a lot of those hits to their dns servers everytime MYDOOM makes it's request. Even with their current setup they should avoid most of the force of MYDOOM (unless it attacks a range of active names and/or numbers).
The better solution if they want to keep their web server alive is to channel all requests to another web server with a thin pipe (say a T1) right off a backbone that reads the http client header, discards the MYDOOM requests (also with some real ones) and forwards everyone else to their real http server (say www2.sco.com). This could greatly minimize MYDOOM's damage, changing the a hurricane into a rain shower.
On the other hand doing it their way allows them to more easily cry "poor [sco]", claim this attack completely shut them down, have a record of exactly how many attacks they're getting and claim they lost business (like they had any anyways). This whole attack has "script kiddie" written all over it. If the author lives in the US there's a fair chance they'll catch him, and then he's SOL. In my opinion MYDOOM discredits the gnu/linux community. sco sucks but this isn't the way. An opinion shared by most in our community.
-- "And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
Re:Why today...
by
Reziac
·
· Score: 4, Interesting
Thanks for the info, saved in my evergrowing "SCOpera" files:)
I looked at MyDoom's innards, and it struck me as odd, not typical script-kiddie material at all. I got the sense it was the work of someone whose programming work had *not* previously included this sort of thing. So I'm inclined to agree with the speculation that it's primarily a spammer's zombie-generating tool, built by contract with some starving professional coder, and that the SCO and M$ DoS components are red herrings.
As you say, SC0-baiting is great fun, but illegal attacks do nothing for the case against them (tho they seem to be using it to further their own case *against* themselves, judging by the "time travel" element that Groklaw pointed out) and just make us look bad. SCO is perfectly capable of cutting their own throats without "help".
Slashdot Mirror
SCO had plenty of time to prepare for this. They were well aware it was coming. I personally believe it's a publicity stunt. (which probably wouldn't surprise anybody around here).
120chars for a sig is teh suck
According to heise.de(in English) MyDoom.B is not nearly as widespread as the A-version. According to the article the A-version just had a good start, because it was distributed through an IRC-Botnet. So we will probably not see microsoft.com going down.
What I don't get is how this virus spread so far, considering how hard it must to be get infected by it. You'd have to go out of your way to get infected since the spreads its self as zip compressed attachment.
I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.
Is it just a lot of stupid users or I am missing something?
aus.music.scrapbook
As a Linux geek I must admit to a small snicker at SCO's misfortune here, but it is definately not the right way to go about solving the SCO problem. All publicity is *NOT* good publicity, and the last thing we need is the world to think "Linux == Geeks spreading virii". I've been taking pains to point out the spam connection with the MyDoom virus, and I think that's the angle we should persue here. I can only hope that the next looser who DOSes SCO gives us as easy an "its not us" angle.
"Mission Accomplished" -- George W. Bush May 1, 2003
Sunday isn't even a business day? How much money will they not lose?
;) Then again, they will blame the Linux community for this, even though its soley from a bunch of owned Windows boxes. This is akin to blaming Smith and Wesson for injuries to the neighbors when you fire your gun in random directions.
There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.
I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales
Tequila: It's not just for breakfast anymore!
I think a lot of folks have mixed feelings on this on.
"It is a greater offense to steal men's labor, than their clothes"
Some guy on winnetmag obviously thinks they should be offline, they must have brought it upon themselves, as he seems to think the virus is the fault of UNIX. he says that "A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor."
sheesh where do they get these people
www.sco.com has been pulled from their dns records. Their whois info shows four dns servers: ns.calderasystems.com, ns2.calderasystems.com, c7ns1.center7.com and nsca.sco.com. IFAIK ns.sco.com, ns1.sco.com and ns2.sco.com use to be their DNSs of record. I ran a quick check of www.sco.com on all seven servers and found it had been removed. Since their is no ip number for that name sco never sees the http request.
I personally would've changed it to lo (127.0.0.1) so at least other dns servers would cache the first request (and serve out copies without checking) thus taking avoiding a lot of those hits to their dns servers everytime MYDOOM makes it's request. Even with their current setup they should avoid most of the force of MYDOOM (unless it attacks a range of active names and/or numbers).
The better solution if they want to keep their web server alive is to channel all requests to another web server with a thin pipe (say a T1) right off a backbone that reads the http client header, discards the MYDOOM requests (also with some real ones) and forwards everyone else to their real http server (say www2.sco.com). This could greatly minimize MYDOOM's damage, changing the a hurricane into a rain shower.
On the other hand doing it their way allows them to more easily cry "poor [sco]", claim this attack completely shut them down, have a record of exactly how many attacks they're getting and claim they lost business (like they had any anyways). This whole attack has "script kiddie" written all over it. If the author lives in the US there's a fair chance they'll catch him, and then he's SOL. In my opinion MYDOOM discredits the gnu/linux community. sco sucks but this isn't the way. An opinion shared by most in our community.
"And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
Thanks for the info, saved in my evergrowing "SCOpera" files :)
I looked at MyDoom's innards, and it struck me as odd, not typical script-kiddie material at all. I got the sense it was the work of someone whose programming work had *not* previously included this sort of thing. So I'm inclined to agree with the speculation that it's primarily a spammer's zombie-generating tool, built by contract with some starving professional coder, and that the SCO and M$ DoS components are red herrings.
As you say, SC0-baiting is great fun, but illegal attacks do nothing for the case against them (tho they seem to be using it to further their own case *against* themselves, judging by the "time travel" element that Groklaw pointed out) and just make us look bad. SCO is perfectly capable of cutting their own throats without "help".
~REZ~ #43301. Who'd fake being me anyway?