Latest MyDoom Variant Gives Google Problems

Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."

Alright, this means war

Virus writers want to attack Microsoft or SCO, fine... but this... this is war! YOU DO NOT ATTACK THE GOOGLE!!!

Re:Alright, this means war

[aardwolf204]

Ahem, its TEH GOOGLE! get it right

Re:Alright, this means war

[SatanicPuppy]

Heh. This gives a whole new meaning to the phrase "Google Bombing"

Doesn't seem like it would be all that efficient to google for email addresses. You'd have to do some parsing on the other end to dig them out of the rest of the page content, maybe a little work to make sure they weren't spam armored. Of course, I guess if you've hijacked some poor slobs computer, CPU cycles aren't really your problem anymore.

Re:Alright, this means war

[AuMatar]

Hate to give them ideas, but- search the cached response, and goodle colors the words. Then just look for the font color tags. That shows exactly where the address is. Wouldn't be that difficult.

Re:Alright, this means war

[didde]

This is the 403 Forbidden I get when submiting a gmail address... The most thourough 403 I've ever seen.

Forbidden
Your client does not have permission to get URL /search?q=anything@gmail.com&ie=UTF-8&oe=UTF-8 from this server. (Client IP address: [xx.xx.xx.xx])

Please see Google's Terms of Service posted at http://www.google.com/terms_of_service.html

If you believe that you have received this response in error, please send email to forbidden@google.com. Before sending this email, however, please make sure to take a look at our Terms of Service (http://www.google.com/terms_of_service.html). In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at myFoo.com. My machine's IP address is 10.20.30.40, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is 10.11.12.13." (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)

We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!

Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!

Also note that if you do not send us the entire code below, we will not be able to help you.

[long-ass-code removed]

... Otherwise the service works as usual here in Scandinavia.

Oh no

Now my hotmail account will start getting spammed :(

i was wondering

[The+Other+White+Boy]

i was getting errors when trying to search, but people i was talkin to online elsewhere in the country were fine. my whole office was screwin up.

gmail still works tho, hrm.

Re:i was wondering

i was getting errors when trying to search, but people i was talkin to online elsewhere in the country were fine. my whole office was screwin up
gmail still works tho, hrm.

You work in corporate communications, don't you?

Re:i was wondering

[poptix_work]

They sent out the email to.. not open your email

How amazingly typical.

Ah hah

[suso]

I thought I was going nuts, I've never had google give me problems.

I found it hard to remember the names of other search engines that I could use though.

Re:Ah hah

[boredMDer]

Other....search engines?

Do explain such a foreign concept as this.

Google is the one, the almighty.

Re:Ah hah

[Jim+Hall]

I found it hard to remember the names of other search engines that I could use though.

You could do a Google search for them, I suppose... :-)

Re:Ah hah

[suwain_2]

Just do a search for related:www.google.com, and Google will tell you.

Oh, wait...

Re:Ah hah

[ehiris]

I misspelled yahoo 3 times before I got it right.

Re:Ah hah

[gmuslera]

AllTheWeb and Teoma are good alternatives, as far I remember, and do some things in a smarter way than Google. MSN search is supposed to be improved in a beta URL (there was an history here about it some weeks ago)

And you have also metasearchers, that not only search google, but also others. If you want almost the opposite of google in simplicity, you can try Kartoo, where you can have graphs with aggrupations on search results, flash animations and things like that.

Last, but not least, there are a search engine that you can use to find search engines very close to you. If its good enough, probably there is a Slashdot article on it, so slashdot search is a good first step if all the other search engines you know are down but you still can access slashdot.

Re:Ah hah

[Saeed+al-Sahaf]

Yes you can. Surprisingly, Google is not at the top of the list.

Well, you could IF Google wasn't returning:

Server Error
The service you requested is not available at this time.
Service error -27.

Re:Ah hah

[skinfitz]

What's a search engine?

I tried googling for it but it just took me to the home page. I think it's broken.

Re:Ah hah

[TimeZone]

I tried to google "Service Error -27" to find out what the problem was.

It took about 10 seconds for me to realize I was a dumbass.

TZ

Re:Ah hah

[Winkhorst]

Have you considered buying a dictionary? You can get them at Amazon or your local bookstore. That's the place where they sell those old-fashioned paper thingies that have words printed on paper.

Only Google web search down?

[sup191]

Everything else seems to be ticking ok (news, images, Froogle, etc...)

Yup

I'm getting "
Server Error
The service you requested is not available at this time.
Service error -27
"
for all of my search attempts.

Shouldn't that be easy to fix?

[ggvaidya]

If MyDoom uses certain search strings, you just dump all such searches? Worse case, just dump any search for anything which looks like an e-mail account?

Re:Shouldn't that be easy to fix?

[Zaiff+Urgulbunger]

Does it have a UA string like "MyDoom-O (1.0 final)" or anything?

What a day to have problems!

[AKAImBatman]

CNN is on behind me, and they've been talking about nothing but Google's IPO. Seems like really bad timing for Google. :-(

The end of the world!

[Jamori]

Google is down ... the world is ending! The beginning of the apocalypse! (I can't even check if I spelled that right without google)

Nostradomus predicted this right?

[craenor]

Google going down is the first sign of the apocalypse. Now if my wife asks me for sex (the second sign), I'll know the world is going to end...

Re:Nostradomus predicted this right?

she asked me for sex - does that count? :)

Re:Nostradomus predicted this right?

[craenor]

Sadly, that's not a sign of the Apocalypse, that's the sign that it's Monday.

Re:Nostradomus predicted this right?

[Gilmoure]

craenor's wife has never asked me for sex on Monday...

Re:Nostradomus predicted this right?

[Atario]

Google going down is the first sign of the apocalypse. Now if my wife asks me for sex (the second sign), I'll know the world is going to end...

I can't believe you didn't make the obvious joke there. I mean, c'mon. Think about it. "Going down"..."my wife"...Jebus! It fairly slaps you in the face! And you call yourself a Slashdotter...

Re:Nostradomus predicted this right?

Lucky you... /sigh

Google key

[xenostar]

To use the Google API you need a key generated by Google, which requires a small registration, so, while of course, if the perpetrator did fill it out, he probably put in fake information, it would still be a good place to start looking.

Re:Google key

[hrieke]

Why not (since it's windows programming), create an IE object and have it return the results, this it would appear to Google to be nothing more than just normal traffic?

Time for a new error

[Quasar1999]

503? screw that... why not have a new error number designated specifically for MS infected systems... error 999: The operating system you are using is insecure and has been exploited... you are partially responsible for bringing this server to its knees... Now go in the corner and think about what you've done.

Re:Time for a new error

[drmellow]

999? No, make it 666. That'll be more fun.

Google is that big

[frankthechicken]

The fact that Google went down appears to have affected the BBC, given that it was given headline news on the radio. Proof that Google has become a world wide institution(or maybe just where the BBC does some of it's "research" :) )

What locations?

[ErichTheWebGuy]

is returning 503 errors on all queries submitted from certain locations

Is that geographic locations, IP blocks, or what? I can use Google just fine at the moment, but have heard of trouble in California (I am in Colorado). TFA gives no details. Anyone have answers?

Re:What locations?

[LearnToSpell]

I can search from home (SSH), but not from work (~15 miles away), in NY.

Queries blocked

[GoRK]

The query that google seems to block in order to work around this problem is a query for "mailer-daemon@domain.com" where "domain.com" is pretty much anything.

No Problem...

[Pirogoeth]

...just use Google's alternate search form...

Re:Hrm

[slthytove]

I would normally use Google to figure out the answer to your question, but, uh...

My one permitted tin-foil hat question for today.

[Rude+Turnip]

OK, so if Microsoft comes out with an antivirus product, what incentive do they have to immunize Windows-based computers against worms that attack their competitors? (i.e. Google vs MSN Search).

My Doom? Oh My

[Yo+Grark]

All Hail My Doom.

For doing the very thing we always failed at doing.

OH MY GOD, YOU SLASHDOTTED GOOGLE, YOU BASTARDS!

Yo Grark

Re:My Doom? Oh My

[polyp2000]

It's difficult to imagine that there are more instances of MyDoom querying google than actual people. That would indicate that this thing is riddled an absurdly enormous number of windows machines.

Nick

Re:My Doom? Oh My

[bawb]

The virus can do searches far faster than a human, it also doesn't get tired, bored, or scurry off to another part of the web when it's found what it's looking for.

Re:My Doom? Oh My

[mangu]

this thing is riddled an absurdly enormous number of windows machines.

Or maybe just that the infected machines are generating thousands of queries each. In these days of multi-GHz CPU's and broadband, it wouldn't take as many millions of machines to /. Google.

Google is doing fine for regular searches...

[stienman]

Perhaps I'm simply 'located' better, but I can do regular google searches just fine.

But when I ask for "email slashdot.org" it returns a forbidden search page.

So it looks like Google is primarily stopping searches that are typical of this virus, but they may also have automated filtering that stops searches which are too many from IPs and netblocks. This part is probably something they implemented long ago.

But google is going slower for me today, and sometimes it stalls (some of the frontend machines dropping out a bit more frequently than usual?)

-Adam

Re:Google is doing fine for regular searches...

[RobertB-DC]

But when I ask for "email slashdot.org" it returns a forbidden search page.

I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search, will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.

It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits.

2r0A6dsI7ZSqFcXMcZGaqVp9OyBGpRpEx8zC0r2-fDqTp9VRX
Oa5KPnpeHBfPq5nCWFmRKN0EGLyQNyT_Jpi2w_Gph5Lmj8QTC
I2ARob9EUpW81ypiueUArxRWXxACzVAiOlt4-1b-k4fXoLYu6
hgf9EwNsXjUpPHOy7iTskkZaA8BvJjCPZIo70EWJtQ5FEGtIO
ao9GoeUBxkRmSkIPqlxvhdGEkOx_YYAK2FgokfoRJtqZlutIr
NFHKoo6EF0wTy4dfsHMPmsLbK49OLE5m_kM-FQw0q7LyFhAnj
e4leVjmnj0cWa_PQeUJ8aO4MRUb2C2fY0_v77HgHDY9xlor-A
Ql-39IKKfb8HbhFAhq0E4SZnnSCg04auFL9mEwFZgvxWqp5by
lCpv5si-pNNiqJQP9su0iWzbo7yJbMVTbJz_ybYBhZH3JS457
yYrCD6UChKOOjrQIrjl7Eg0kAUX2ccg0ltL4r_S8q_qBwJ0J_
iHzYhTqqMvEns0j4t36BT1JflAsS9oi4woy-fMDNTDsudkOhC
THiBBVCdmOGK9_HiQxD0Fi24U-TpBKMdTFpHb_XOAniaZ-NYe
7zqPtGbeNdI29RoS-05tacoKoQTf35KCDmFta02ScliFdsAlL
fdnzvKvUexgaESG1ftpW1jO9PxuTGzx1xX5pe0Gr8V4XDRSzm
wKpdcCiYqGYB78liF3QQkWzcw-WV-yVWXHHYLyehLEtPVyGq_
-SArq48RQPekPgDhdlf6Rm1DxHJax5O_yxWppP8jrBnxtmgW9
r2gCjxljRXnvTtE2iASBXPiMQMJzKcBOPYHdVccEy-Y55NFhe
AFgJ-8-2FY-m3xk8tEejD6b1nKgrRcY34XcA4Lo0uZnAJuSeE
SZROpKsEjO8zK9h2heG8hc5T5q-ahPtD1SAjjnllE=

Notice the text string "taco" about 2/3 of the way through the file. Coincidence?

Re:Google is doing fine for regular searches...

[duffster]

I've tried several tests and Google seems to be filtering out any query that contains the phrase "mail" and a ".", hence catching "email slashdot.org", "mailer-daemon@domain.com", "mailman frontdoor.org" etc.

Re:Google is doing fine for regular searches...

[barcodez]

It is a base64 encoding. Running it though decode-base64 and piping it to the file utility just says it's data. Running strings on the decoded output doesn't yield anything interesting either. $ decode-base64 google.txt | file -

Re:Google is doing fine for regular searches...

[mla_anderson]

It's base64 encoding but using a non-standard alphabet. Standard base64 doesn't have "-" or "_" IIRC.

Browser Specific

[nsingapu]

Webmasterworld has an interesting thread which details the problems are user agent and locality specific (for me in SoCal IE and Firefox are borked, Konqueror is working, but others report no problem with Mozilla or no problems in certain locals).

well. com(mercial) is bad anyways

[Keruo]

use mirrors instead:

http://www.google.co.jp/
http://www.google.fr/
http://www.google.se/
http://www.google.fi/
http://www.google.ca/

all above seem to be responsive atleast to me

Re:HOLY FUCKING SHIT!

[hamlet2600]

How dare this amazingly useful -- cant live without -- service i pay nothing for go down?!?!

Re:Google is doing fine for regular searches...No!

[Warpedcow]

I can't do any searches, and I tried both of the ones you referred to, and they both give this error message.

The influence of Google in the world

[Darth+Beto]

I'm in Mexico and Google is still not working! It is amazing that we're so tied to Google that we forget the others search engines (in fact when I couldn't search into Google I thought "well I'll wait a couple of minutes" instead of using another search engine like Yahoo!)

I fear for zeitgeist

[ILikeRed]

Talk about a boring upcoming Zietgeist...

Top query in US:
joejob@yahoo.com

Top query in UK:
joejob@yahoo.com.uk

Browsers used to access Google:
Internet Explorer ... 41%
MyDoom ... 54%
Other ... 05%

I think they are just trying to keep Mozilla's percentage down.

Re:Strange WHOIS result though

[Roguelazer]

Actaully, that's not the whois on google.com, that's the whois on google.com.sucks.find.crackz.with.search.gulli.com . Here's the full story:

$ whois google.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Server Name: GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
IP Address: 80.190.192.24
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net

Server Name: GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE .THAN.SECZY.COM
IP Address: 209.187.114.130
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com

Domain Name: GOOGLE.COM
Registrar: ALLDOMAINS.COM INC.
Whois Server: whois.alldomains.com
Referral URL: http://www.alldomains.com
Name Server: NS2.GOOGLE.COM
Name Server: NS1.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
Status: REGISTRAR-LOCK
Updated Date: 03-oct-2002
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011

>>> Last update of whois database: Mon, 26 Jul 2004 08:37:55 EDT <<<

Registrant:
Google Inc. (DOM-258879)
2400 E. Bayshore Pkwy Mountain View CA 94043 US

Domain Name: google.com

Registrar Name: Alldomains.com
Registrar Whois: whois.alldomains.com
Registrar Homepage: http://www.alldomains.com

Administrative Contact:
DNS Admin (NIC-1340142) Google Inc.
2400 E. Bayshore Pkwy Mountain View CA 94043 US
dns-admin@google.com +1.6503300100 Fax- +1.6506181499
Technical Contact, Zone Contact:
DNS Admin (NIC-1340144) Google Inc.
2400 E. Bayshore Pkwy Mountain View CA 94043 US
dns-admin@google.com +1.6503300100 Fax- +1.6506181499

Created on..............: 1997-Sep-15.
Expires on..............: 2011-Sep-14.
Record last updated on..: 2003-Apr-07 10:42:46.

Domain servers in listed order:

NS3.GOOGLE.COM 216.239.36.10
NS4.GOOGLE.COM 216.239.38.10
NS1.GOOGLE.COM 216.239.32.10
NS2.GOOGLE.COM 216.239.34.10

Sorry for having to delete all the notices, but this lameness filter is very lame. It decided that lal the legal notices were "junk characters". Likewise, it's now decided that I have too few characters per line, so I need to write this little explainatory paragraph.

Re:An Example

[lpangelrob2]

No problem, what's your e-mail address? I can forward you ten examples of the results of this error...

Re:An Example

[Prof.Phreak]

also, doing whois google.com, returns:

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Server Name: GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
IP Address: 80.190.192.24
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net

Server Name: GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE .THAN.SECZY.COM
IP Address: 209.187.114.130
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com

Domain Name: GOOGLE.COM
Registrar: ALLDOMAINS.COM INC.
Whois Server: whois.alldomains.com
Referral URL: http://www.alldomains.com
Name Server: NS2.GOOGLE.COM
Name Server: NS1.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
Status: REGISTRAR-LOCK
Updated Date: 03-oct-2002
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011

>>> Last update of whois database: Mon, 26 Jul 2004 08:37:55 EDT

Re:Why the unevenness?

[WormholeFiend]

I tried google.fr and I saw that it had surrendered to the virus.

Re:alltheweb.com is down too??

[bcmm]

Probably not the virus directly but the extra load of google refugees.

My productivity...

[Junta]

has gone to hell.

My coworkers may realize I really don't know anything if I can't google up answers real soon now...

Fool me once ... fool me 14 times???

[shrubya]

I can accept ordinary computer illiteracy. People who don't know their mouse has multiple buttons, or who don't know how to quit a program, it's okay. I'm sure they're good at something else. But as long as they aren't complete intentional morons, EVEN ILLITERATES CAN BE TRAINED TO USE COMPUTERS PROPERLY.

But here we are at MyDoom.N, which is the 14th virus in a series that requires the user to:

1. receive an infected email
2. read the email and believe its contents
3. download the attachment
4. unzip the attachment, often password protected
5. run the resulting executable

After ignoring 13 previous warnings, I must move from sympathy to malice. For the sake of all humanity, I beg the author(s) of the MyDoom series and other viruses, in your next version, please include the following instructions:

1. locate a nearby table lamp with the light on
2. remove pants
3. break the bulb while it is glowing
4. insert testicles into bulb socket

If they're dumb enough to get fooled by MyDoom again, they're dumb enough to get themselves out of the gene pool.

Re:Fool me once ... fool me 14 times???

[Maul]

Insert the following (since I've seen it before many times):

3a. User is told by their AV software that the attachment has a virus.

3b. User disables AV software in order to open the attachment.

Re:Fool me once ... fool me 14 times???

[The+Bungi]

Still, it's all Microsoft's fault. It's also their fault that users are not running AV software (or simply disable it to open the exciting attachment) or a firewall (especially if they're on a 24/7 broadband connection.

Never mind the RPC vulnerabilities or the SQL Server exploit. Nah. This is the real shit. Millions of computers being operated by people who have no clue whatsoever.

When Leenucks actually makes it to the desktop someone will release a MyDoom equivalent that will turn thousands of boxes into spam-spewing zombies. Here Is teh info for yuo my friend!!!! teh tar file must be extract to ~/mydocuments ... Except this time it will be the user's fault, not the distro's. Or open source. Or Leenucks. Remember that LimeWire worm that was supposedly the new version of MS Office for Mac? How many clueless Mac owners fell for that? And whose fault was it? Apple? Noooo, it was the stupid users. Apparently Microsoft is saddled with intelligent users who can't help but be infected, and everyone else has retarded ones who should be shot because they opened an email attachment.

It's uncanny. But what's actually fucking frightening that people pushing Linux et. al. actually think they can engineer this problem away. Holy crap.

Re:Fool me once ... fool me 14 times???

[jon787]

Thats why corporate anti-virus software requires a password to disable it, even temporarily.

Re:Fool me once ... fool me 14 times???

[The+Bungi]

And it can't install itself as a service or anything like the Windows viruses

There are no viruses that run as services. Unless you care to show me one. They're all userspace processes. And it ultimately doesn't matter that the user is running under the equivalent of root on Windows - you can delete ~/ just as easily or turn the box into a spam zombie. What you can't do is render the box unusable, but that's not the problem here.

You seem to forget that using Linux means you are no longer married to Intel.

You seem to forget that if the day comes when Linux is actually a viable desktop OS that the unwashed masses can use your claim of "monoculture is teh badd" will be immediately invalidated. There is simply no chance in hell that 5 million people (to use a number) will be using a slightly different version of Mandrake or RedHat. They'll be using whatever came preinstalled with the eMachines they bought from Wal-Mart or BestBuy. There is no chance in hell 23% of them will be running a SPARC and the rest an Intel box. Or perhaps you think 5 million people will suddenly decide to just download Linux and install themselves it on their Windows partition? Or over their Solaris one? They can do that now and Linux is nowhere on the desktop, so that little theory just doesn't pan out.

Oh, and a bash script on a tar file with the execute bit set is pretty much platform independent.

Other than that, your clueless rambling is right on spot.

...yes it is

[CowsAnonymous]

I don't believe it's a local browser issue... might've just been a coincidence, kind of like what might have had happened if I spelled coincidence correctly.

My mailserver gets attacked all day by these

[TheNarrator]

I have a domain that I host mail for, let's call it thedomain.net. Every day 24 hours a day I get connections from thousands of different computers all sending mail to bernard@thedomain.net, ashley@thedomain.net, and any one of a hundred thousand other possible names at @thedomain.net that don't exist. These machines that connect to my machine are using the user unknown bounces to send spam to forged return addresses.

Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.

I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.

I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.

Re:Why the unevenness?

[Tackhead]

> Google is BIG. VERY VERY BIG.

"You just won't believe how vastly, hugely, mindbogglingly big it is. I mean, you may think it's a long way down the OC-3 to boobies.chemist.com, but that's just peanuts to Google. Listen...", and so on.

(After a while the style settles down a bit and it begins to tell you things you really need to know, like the fact that Google has different DNS entries depending on which server you look them up from, which is only a partial solution to the bandwidth problem -- so that despite the DNS tricks, any net imbalance between the packets you send to Google and the packets Google sends back to you, must be surgically removed from your pipe: so every time you type "natalie portman hot grits" into images.google.com, it is vitally important to get a receipt.)

Timing is a little too close to be coincidence

[Thagg]

There have been many reports recently of virus writers attempting to blackmail companies. Having this virus, an obvious DDoS attack on Google, happen the same day that Google announced the price of its IPO shares is just what you would expect if the Google didn't pay the blackmail.

I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.

thad

Re:Timing is a little too close to be coincidence

[Stevyn]

Nice theory. Google investors aren't necessarily tech savy people (like on slashdot). They see a problem with a company and they get worried about buying shares in them. But I still can't figure out a way to make money off this. If you were going to short the stock and then pull this off, then you could make some money. Or pull this off and go long and hope things get better.

I think your idea of blackmail makes more sense though.

Re:firefox is not effected by google bug

[foofie]

People, its a server-side problem, you can have the problem running lynx on your toaster

workaround found using Opera

[googolplexian]

All of my queries that are sent directly through google's website return "Service error -27.", however, all queries sent through the Opera web browser have no problem. Once I've succeeded in a search I cannot do anything else through google (next, cache, etc), because it does not contain a "sourceid=opera" in the query. By copying the address created by Opera, I was able to successfully search using IE. The address I used was "http://www.google.com/search?q=test&sourceid=oper a&num=0&ie=utf-8&oe=utf-8", where "test" was what I was searching for.

Google runs Mac OS 9 ??

[sjf]

I get a -27 error:

Clearly Google is running on pre OS X Macs:

-27 abortEr IO call aborted by KillIO

-S

Virus Text

[kevman42]

We've received a copy of the virus (stopped at the gateway, of course), but here's the text of it for those who are curious:

Dear user xxxxx@domain.com, administration of domain.com would like to inform you

Your email account has been used to send a large amount of junk e-mail during the recent week. We suspect that your computer was compromised and now runs a hidden proxy server.

We recommend that you follow instruction in the attachment in order to keep your computer safe.

Best regards, The domain.com team.

The virus is then attached at the bottom of the message.

Dependence on Google

[Audigy]

...isn't really realized until it goes down. We were researching Linear PCM formats over here when it went down.

I got the error message... "Service Error -27" and immediately though "hm... I wonder what that is," and opened up a new browser window, absentmindedly typing in my query to the Google toolbar...

!@#$!@#$

I laughed for a while, scratched my head, and decided to discuss with my co-workers what the decent "second place" search engine was... Dogpile seemed to be the most common answer. No relevant results, though. Geez, Dogpile is ugly.

Some users in the UK

[@madeus]

Some of the systems, both Windows and Linux are having this problem, while others are not, dispite being on the same subnet (on our NOC lan here in the UK).

Go figure. Session handling switches deciding which IP's go where and some end servers of Google's being borked is my best guess.

google shmoogle

[Prince+Vegeta+SSJ4]

Seriously, I remember when I used to use Infoseek (or is it GO.com now lol) most of the time, or even the netscape search (pre google default). Then it was on to bigger and better like HotBot, or Webcrawler. Did I ever use Yahoo or AltaVista, or Excite (yeah i used that one). Magellan, remember that one?

Oh the days of Mozilla, Navigator Gold & Mortal Kombat (the first one) - [gets teary eyed]

You keep using that word..

[aziraphale]

... I do not think it means what you think it means.

i.e. is an abbreviation for the Latin id est, "that is". It's a synonym for "in other words", "that is to say", or (sort of) "specifically". It does NOT mean "for example", or "such as". For those expressions, you're looking for the Latin abbreviation e.g. - exempli gratia, which means "for example".

Saying this virus "searches your machine for email domains, i.e. yahoo.com", you're actually saying that it "searches for email domains, in other words yahoo.com". This implies that yahoo.com is the only email domain it searches for (or that you are an idiot, and honestly believe that 'email domains' is synonymous with 'yahoo.com'), which makes it seem like a rather pointless search, to say the least.

I.e./e.g. confusion seems to be increasingly common, which surprises me, because it doesn't seem to me that their meanings are at all similar. It seems rather like confusing the phrases 'In spite of which' and 'since Thursday'. Since Thursday, people still seem to do it.

If you really can't remember whether you mean i.e. or e.g., then just write out 'for example' or 'in other words' in full... it doesn't take that much longer.

Re:You keep using that word..

You are *surprised* that people confuse i.e. and e.g.??? How's are people supposed to remember obscure latin abbreviation's, when they can't even learn to use apostrophe's correctly?

Any answer's?

No real need for a new error

[zen+parse]

400 Bad Request

Bad Request. Bad! Go sit in the corner. Go on. Corner! Sit!

("400" errors are invalid request errors. See RFC2616)br>
409 Conflicting Request

An attack is a form of conflict...

412 Precondition Failed

There are conditions of use for Google. One says something to the effect of:

"You can't use automated request things which make an excessive number of requests."

A precondition of using this service is YOU ARE NOT A WORM.

There could, however, be a new one... br>
411 Problem exists between keyboard and chair

Catch all for human caused errors.

Ok... so it's not exactly accurate use for these codes, but close enough?

How-to bypass the block

[CHICK543]

If you still want to use google, but are getting blocked (like me), try using Google Personalized

Works like a charm. (but a little bit slow)

Re:503/service error -27

[monique]

try adding "&num=0" to the search url.

This thread brings back memories

[WormholeFiend]

I remember that old David Letterman tv joke ad that went something like Dave saying:
"Imagine what the world would be like without television?"
[TV static for 5 seconds then Dave comes back on]
"Scary, wasn't it?"

Now imagine the world without the Internet... +++NO CARRIER

Feeling Lucky Works

[benw1979]

Works fine for me... just search for "Google Server Error" and click "I'm Feeling Lucky" =)

Google can probably take this in stride

[0x0d0a]

Google has a lot of computer scientists and techies, and all they need to do is write a quick regex to match these "banned" searches, slap a 72-hour ban on any IP that's the source of more than, say, 1000 "banned" searches in a day, reply with a static page that says "SOL, your request came from an infected computer, contact your sysadmin" and then start looking for a more fundamental and elegant solution for a long-term fix.

They'll have this patched over in less than 24 hours, for certain.

It is likely a phishing attack

[Zeinfeld]

Doesn't seem like it would be all that efficient to google for email addresses

It is efficient enough to spread fast and wide. By the time Google had a chance to respond to this the virus had probably attacked 90% of the targets at least once. All Google could do is to reduce followon attacks somewhat. I was hit 450 times, that is not counting the attacks that the spam filter just disconnected on.

I don't think the real target was Google. MyDoom has been launched several times and 2 out of 3 times there has been an uptick in phishing fraud attacks just afterwards. I don't think that the target was really SCO or Microsoft. Attacking them was just a way to throw investigators off the trail and also to work out which machines would make reliable zombies.

These guys use zombie machines for several purposes. they use them to send spam, to capture credit card numbers and to hide their tracks.

I think it is time to admit defeat with the anti-virus scanning software. We should simply block all executable attachments and zip files containing executable code. Fortunately most encrypted zip file formats do not encrypt the manifest so encrypted files can be blocked.

This type of technology can be written once and is then pretty much maintenance free. Maybe an occasional tweak but nothing like the constant need to work out the signatures of new viruses.

Re:Why the unevenness?

[vinlud]

Yeah and google.us is currently invading the penguins of Antarctica for their weapons of mass searches

Re:What I've seen first hand.

[the_mad_poster]

Give it a rest you penguin-humping retard. The virus spreads through user action. Stupid users spread the virus. What the fuck is so complicated about that? Virus writers have started sending zipped viruses with attached installation instructions and these dipshits are STILL getting infected. You think if someone wrote a virus and instructed the stupid users to set the execution bit they wouldn't do it? History says you're wrong. History shows that people will follow even more complex instructions than that in order to run a virus.

Maybe if you religious rejects would spend a little more time fixing user space threats like the crufty old X system or finishing up your little game of desktop catch up that Microsoft has so sorely outpaced you in, you'd actually have a desktop system now instead of a kludged together ball of shit that wants to pretend it's UNIX while it tries to play with Windows. Pick a fucking goal and stop spending so much time and wasted breath bashing Microsoft. Christ. You little Linux and Windows zealots have got to be the stupidest subsets of all of the computer holy wars... you get on my fucking nerves. At least the BSD people have the decency to keep it to infighting that I can just ignore.

Yea yea, whatever. I'm a troll because I'm not felating your stupid little penguin. Give it a rest and just use your fucking system. You sound like a total dumbass when you sit there and blame "micro$oft" (please, spare me the droll attempt at witicism that wasn't even witty the first time someone used the dollar sign) for a problem that's clearly perpetuated by explicit user action.