Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest MyDoom Variant Gives Google Problems

Posted by simoniker on from the down-and-out dept.

Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."

17 of 607 comments (clear)

  1. Google is that big by frankthechicken · · Score: 2, Interesting

    The fact that Google went down appears to have affected the BBC, given that it was given headline news on the radio. Proof that Google has become a world wide institution(or maybe just where the BBC does some of it's "research" :) )

  2. Browser Specific by nsingapu · · Score: 5, Interesting

    Webmasterworld has an interesting thread which details the problems are user agent and locality specific (for me in SoCal IE and Firefox are borked, Konqueror is working, but others report no problem with Mozilla or no problems in certain locals).

    --
    How do I keep track of people who are fingering
  3. 503/service error -27 by grey1 · · Score: 1, Interesting

    I'm getting this every time, nothing to do with the search string:

    Server Error

    The service you requested is not available at this time.

    Service error -27

    --
    "we demand rigidly defined areas of doubt and uncertainty!"
  4. Re:Google is doing fine for regular searches... by RobertB-DC · · Score: 4, Interesting
    But when I ask for "email slashdot.org" it returns a forbidden search page.

    I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search, will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.

    It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits.
    2r0A6dsI7ZSqFcXMcZGaqVp9OyBGpRpEx8zC0r2-fDqTp9VRX
    Oa5KPnpeHBfPq5nCWFmRKN0EGLyQNyT_Jpi2w_Gph5Lmj8QTC
    I2ARob9EUpW81ypiueUArxRWXxACzVAiOlt4-1b-k4fXoLYu6
    hgf9EwNsXjUpPHOy7iTskkZaA8BvJjCPZIo70EWJtQ5FEGtIO
    ao9GoeUBxkRmSkIPqlxvhdGEkOx_YYAK2FgokfoRJtqZlutIr
    NFHKoo6EF0wTy4dfsHMPmsLbK49OLE5m_kM-FQw0q7LyFhAnj
    e4leVjmnj0cWa_PQeUJ8aO4MRUb2C2fY0_v77HgHDY9xlor-A
    Ql-39IKKfb8HbhFAhq0E4SZnnSCg04auFL9mEwFZgvxWqp5by
    lCpv5si-pNNiqJQP9su0iWzbo7yJbMVTbJz_ybYBhZH3JS457
    yYrCD6UChKOOjrQIrjl7Eg0kAUX2ccg0ltL4r_S8q_qBwJ0J_
    iHzYhTqqMvEns0j4t36BT1JflAsS9oi4woy-fMDNTDsudkOhC
    THiBBVCdmOGK9_HiQxD0Fi24U-TpBKMdTFpHb_XOAniaZ-NYe
    7zqPtGbeNdI29RoS-05tacoKoQTf35KCDmFta02ScliFdsAlL
    fdnzvKvUexgaESG1ftpW1jO9PxuTGzx1xX5pe0Gr8V4XDRSzm
    wKpdcCiYqGYB78liF3QQkWzcw-WV-yVWXHHYLyehLEtPVyGq_
    -SArq48RQPekPgDhdlf6Rm1DxHJax5O_yxWppP8jrBnxtmgW9
    r2gCjxljRXnvTtE2iASBXPiMQMJzKcBOPYHdVccEy-Y55NFhe
    AFgJ-8-2FY-m3xk8tEejD6b1nKgrRcY34XcA4Lo0uZnAJuSeE
    SZROpKsEjO8zK9h2heG8hc5T5q-ahPtD1SAjjnllE=
    Notice the text string "taco" about 2/3 of the way through the file. Coincidence?
    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  5. My mailserver gets attacked all day by these by TheNarrator · · Score: 3, Interesting

    I have a domain that I host mail for, let's call it thedomain.net. Every day 24 hours a day I get connections from thousands of different computers all sending mail to bernard@thedomain.net, ashley@thedomain.net, and any one of a hundred thousand other possible names at @thedomain.net that don't exist. These machines that connect to my machine are using the user unknown bounces to send spam to forged return addresses.

    Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.

    I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.

    I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.

  6. Timing is a little too close to be coincidence by Thagg · · Score: 5, Interesting

    There have been many reports recently of virus writers attempting to blackmail companies. Having this virus, an obvious DDoS attack on Google, happen the same day that Google announced the price of its IPO shares is just what you would expect if the Google didn't pay the blackmail.

    I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.

    thad

    --
    I love Mondays. On a Monday, anything is possible.
    1. Re:Timing is a little too close to be coincidence by Stevyn · · Score: 2, Interesting

      Nice theory. Google investors aren't necessarily tech savy people (like on slashdot). They see a problem with a company and they get worried about buying shares in them. But I still can't figure out a way to make money off this. If you were going to short the stock and then pull this off, then you could make some money. Or pull this off and go long and hope things get better.

      I think your idea of blackmail makes more sense though.

  7. workaround found using Opera by googolplexian · · Score: 2, Interesting

    All of my queries that are sent directly through google's website return "Service error -27.", however, all queries sent through the Opera web browser have no problem. Once I've succeeded in a search I cannot do anything else through google (next, cache, etc), because it does not contain a "sourceid=opera" in the query. By copying the address created by Opera, I was able to successfully search using IE. The address I used was "http://www.google.com/search?q=test&sourceid=oper a&num=0&ie=utf-8&oe=utf-8", where "test" was what I was searching for.

  8. Some users in the UK by @madeus · · Score: 2, Interesting

    Some of the systems, both Windows and Linux are having this problem, while others are not, dispite being on the same subnet (on our NOC lan here in the UK).

    Go figure. Session handling switches deciding which IP's go where and some end servers of Google's being borked is my best guess.

  9. google shmoogle by Prince+Vegeta+SSJ4 · · Score: 2, Interesting
    Seriously, I remember when I used to use Infoseek (or is it GO.com now lol) most of the time, or even the netscape search (pre google default). Then it was on to bigger and better like HotBot, or Webcrawler. Did I ever use Yahoo or AltaVista, or Excite (yeah i used that one). Magellan, remember that one?

    Oh the days of Mozilla, Navigator Gold & Mortal Kombat (the first one) - [gets teary eyed]

  10. Re:Alright, this means war by AuMatar · · Score: 3, Interesting

    Hate to give them ideas, but- search the cached response, and goodle colors the words. Then just look for the font color tags. That shows exactly where the address is. Wouldn't be that difficult.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  11. Re:Alright, this means war by didde · · Score: 5, Interesting

    This is the 403 Forbidden I get when submiting a gmail address... The most thourough 403 I've ever seen.

    Forbidden
    Your client does not have permission to get URL /search?q=anything@gmail.com&ie=UTF-8&oe=UTF-8 from this server. (Client IP address: [xx.xx.xx.xx])

    Please see Google's Terms of Service posted at http://www.google.com/terms_of_service.html

    If you believe that you have received this response in error, please send email to forbidden@google.com. Before sending this email, however, please make sure to take a look at our Terms of Service (http://www.google.com/terms_of_service.html). In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at myFoo.com. My machine's IP address is 10.20.30.40, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is 10.11.12.13." (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)

    We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!

    Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!

    Also note that if you do not send us the entire code below, we will not be able to help you.

    [long-ass-code removed]

    ... Otherwise the service works as usual here in Scandinavia.

  12. Re:Google is doing fine for regular searches... by barcodez · · Score: 2, Interesting

    It is a base64 encoding. Running it though decode-base64 and piping it to the file utility just says it's data. Running strings on the decoded output doesn't yield anything interesting either. $ decode-base64 google.txt | file -

    --

    ----
  13. Re:Fool me once ... fool me 14 times??? by The+Bungi · · Score: 2, Interesting
    And it can't install itself as a service or anything like the Windows viruses

    There are no viruses that run as services. Unless you care to show me one. They're all userspace processes. And it ultimately doesn't matter that the user is running under the equivalent of root on Windows - you can delete ~/ just as easily or turn the box into a spam zombie. What you can't do is render the box unusable, but that's not the problem here.

    You seem to forget that using Linux means you are no longer married to Intel.

    You seem to forget that if the day comes when Linux is actually a viable desktop OS that the unwashed masses can use your claim of "monoculture is teh badd" will be immediately invalidated. There is simply no chance in hell that 5 million people (to use a number) will be using a slightly different version of Mandrake or RedHat. They'll be using whatever came preinstalled with the eMachines they bought from Wal-Mart or BestBuy. There is no chance in hell 23% of them will be running a SPARC and the rest an Intel box. Or perhaps you think 5 million people will suddenly decide to just download Linux and install themselves it on their Windows partition? Or over their Solaris one? They can do that now and Linux is nowhere on the desktop, so that little theory just doesn't pan out.

    Oh, and a bash script on a tar file with the execute bit set is pretty much platform independent.

    Other than that, your clueless rambling is right on spot.

  14. Re:My Doom? Oh My by Anonymous Coward · · Score: 1, Interesting

    Doesn't surprise me in the least. Perhaps the spammers and MyDoom authors are really pissed off that I hosed more then 200,000 of their infected hosts over the past month, so they are taking it out on Google.

    When is M$ going to be part of the solution instead of always being part of the problem. We just GOT to get more people into using UNIX based platforms.

  15. Google can probably take this in stride by 0x0d0a · · Score: 4, Interesting

    Google has a lot of computer scientists and techies, and all they need to do is write a quick regex to match these "banned" searches, slap a 72-hour ban on any IP that's the source of more than, say, 1000 "banned" searches in a day, reply with a static page that says "SOL, your request came from an infected computer, contact your sysadmin" and then start looking for a more fundamental and elegant solution for a long-term fix.

    They'll have this patched over in less than 24 hours, for certain.

    --
    May we never see th
  16. It is likely a phishing attack by Zeinfeld · · Score: 2, Interesting
    Doesn't seem like it would be all that efficient to google for email addresses

    It is efficient enough to spread fast and wide. By the time Google had a chance to respond to this the virus had probably attacked 90% of the targets at least once. All Google could do is to reduce followon attacks somewhat. I was hit 450 times, that is not counting the attacks that the spam filter just disconnected on.

    I don't think the real target was Google. MyDoom has been launched several times and 2 out of 3 times there has been an uptick in phishing fraud attacks just afterwards. I don't think that the target was really SCO or Microsoft. Attacking them was just a way to throw investigators off the trail and also to work out which machines would make reliable zombies.

    These guys use zombie machines for several purposes. they use them to send spam, to capture credit card numbers and to hide their tracks.

    I think it is time to admit defeat with the anti-virus scanning software. We should simply block all executable attachments and zip files containing executable code. Fortunately most encrypted zip file formats do not encrypt the manifest so encrypted files can be blocked.

    This type of technology can be written once and is then pretty much maintenance free. Maybe an occasional tweak but nothing like the constant need to work out the signatures of new viruses.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/