Latest MyDoom Variant Gives Google Problems

Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."

Alright, this means war

Virus writers want to attack Microsoft or SCO, fine... but this... this is war! YOU DO NOT ATTACK THE GOOGLE!!!

Re:Alright, this means war

[aardwolf204]

Ahem, its TEH GOOGLE! get it right

Re:Alright, this means war

[AuMatar]

Hate to give them ideas, but- search the cached response, and goodle colors the words. Then just look for the font color tags. That shows exactly where the address is. Wouldn't be that difficult.

Re:Alright, this means war

[didde]

This is the 403 Forbidden I get when submiting a gmail address... The most thourough 403 I've ever seen.

Forbidden
Your client does not have permission to get URL /search?q=anything@gmail.com&ie=UTF-8&oe=UTF-8 from this server. (Client IP address: [xx.xx.xx.xx])

Please see Google's Terms of Service posted at http://www.google.com/terms_of_service.html

If you believe that you have received this response in error, please send email to forbidden@google.com. Before sending this email, however, please make sure to take a look at our Terms of Service (http://www.google.com/terms_of_service.html). In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at myFoo.com. My machine's IP address is 10.20.30.40, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is 10.11.12.13." (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)

We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!

Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!

Also note that if you do not send us the entire code below, we will not be able to help you.

[long-ass-code removed]

... Otherwise the service works as usual here in Scandinavia.

Ah hah

[suso]

I thought I was going nuts, I've never had google give me problems.

I found it hard to remember the names of other search engines that I could use though.

Re:Ah hah

[boredMDer]

Other....search engines?

Do explain such a foreign concept as this.

Google is the one, the almighty.

Re:Ah hah

[Jim+Hall]

I found it hard to remember the names of other search engines that I could use though.

You could do a Google search for them, I suppose... :-)

Re:Ah hah

[ehiris]

I misspelled yahoo 3 times before I got it right.

Re:Ah hah

[gmuslera]

AllTheWeb and Teoma are good alternatives, as far I remember, and do some things in a smarter way than Google. MSN search is supposed to be improved in a beta URL (there was an history here about it some weeks ago)

And you have also metasearchers, that not only search google, but also others. If you want almost the opposite of google in simplicity, you can try Kartoo, where you can have graphs with aggrupations on search results, flash animations and things like that.

Last, but not least, there are a search engine that you can use to find search engines very close to you. If its good enough, probably there is a Slashdot article on it, so slashdot search is a good first step if all the other search engines you know are down but you still can access slashdot.

Re:Ah hah

[skinfitz]

What's a search engine?

I tried googling for it but it just took me to the home page. I think it's broken.

Re:Ah hah

[TimeZone]

I tried to google "Service Error -27" to find out what the problem was.

It took about 10 seconds for me to realize I was a dumbass.

TZ

Yup

I'm getting "
Server Error
The service you requested is not available at this time.
Service error -27
"
for all of my search attempts.

Shouldn't that be easy to fix?

[ggvaidya]

If MyDoom uses certain search strings, you just dump all such searches? Worse case, just dump any search for anything which looks like an e-mail account?

What a day to have problems!

[AKAImBatman]

CNN is on behind me, and they've been talking about nothing but Google's IPO. Seems like really bad timing for Google. :-(

The end of the world!

[Jamori]

Google is down ... the world is ending! The beginning of the apocalypse! (I can't even check if I spelled that right without google)

Nostradomus predicted this right?

[craenor]

Google going down is the first sign of the apocalypse. Now if my wife asks me for sex (the second sign), I'll know the world is going to end...

Re:Nostradomus predicted this right?

she asked me for sex - does that count? :)

Re:Nostradomus predicted this right?

[craenor]

Sadly, that's not a sign of the Apocalypse, that's the sign that it's Monday.

Re:Nostradomus predicted this right?

[Gilmoure]

craenor's wife has never asked me for sex on Monday...

Re:Nostradomus predicted this right?

[Atario]

Google going down is the first sign of the apocalypse. Now if my wife asks me for sex (the second sign), I'll know the world is going to end...

I can't believe you didn't make the obvious joke there. I mean, c'mon. Think about it. "Going down"..."my wife"...Jebus! It fairly slaps you in the face! And you call yourself a Slashdotter...

Time for a new error

[Quasar1999]

503? screw that... why not have a new error number designated specifically for MS infected systems... error 999: The operating system you are using is insecure and has been exploited... you are partially responsible for bringing this server to its knees... Now go in the corner and think about what you've done.

Re:Time for a new error

[drmellow]

999? No, make it 666. That'll be more fun.

What locations?

[ErichTheWebGuy]

is returning 503 errors on all queries submitted from certain locations

Is that geographic locations, IP blocks, or what? I can use Google just fine at the moment, but have heard of trouble in California (I am in Colorado). TFA gives no details. Anyone have answers?

Queries blocked

[GoRK]

The query that google seems to block in order to work around this problem is a query for "mailer-daemon@domain.com" where "domain.com" is pretty much anything.

No Problem...

[Pirogoeth]

...just use Google's alternate search form...

My one permitted tin-foil hat question for today.

[Rude+Turnip]

OK, so if Microsoft comes out with an antivirus product, what incentive do they have to immunize Windows-based computers against worms that attack their competitors? (i.e. Google vs MSN Search).

My Doom? Oh My

[Yo+Grark]

All Hail My Doom.

For doing the very thing we always failed at doing.

OH MY GOD, YOU SLASHDOTTED GOOGLE, YOU BASTARDS!

Yo Grark

Re:My Doom? Oh My

[polyp2000]

It's difficult to imagine that there are more instances of MyDoom querying google than actual people. That would indicate that this thing is riddled an absurdly enormous number of windows machines.

Nick

Re:My Doom? Oh My

[mangu]

this thing is riddled an absurdly enormous number of windows machines.

Or maybe just that the infected machines are generating thousands of queries each. In these days of multi-GHz CPU's and broadband, it wouldn't take as many millions of machines to /. Google.

Re:i was wondering

i was getting errors when trying to search, but people i was talkin to online elsewhere in the country were fine. my whole office was screwin up
gmail still works tho, hrm.

You work in corporate communications, don't you?

Google is doing fine for regular searches...

[stienman]

Perhaps I'm simply 'located' better, but I can do regular google searches just fine.

But when I ask for "email slashdot.org" it returns a forbidden search page.

So it looks like Google is primarily stopping searches that are typical of this virus, but they may also have automated filtering that stops searches which are too many from IPs and netblocks. This part is probably something they implemented long ago.

But google is going slower for me today, and sometimes it stalls (some of the frontend machines dropping out a bit more frequently than usual?)

-Adam

Re:Google is doing fine for regular searches...

[RobertB-DC]

But when I ask for "email slashdot.org" it returns a forbidden search page.

I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search, will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.

It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits.

2r0A6dsI7ZSqFcXMcZGaqVp9OyBGpRpEx8zC0r2-fDqTp9VRX
Oa5KPnpeHBfPq5nCWFmRKN0EGLyQNyT_Jpi2w_Gph5Lmj8QTC
I2ARob9EUpW81ypiueUArxRWXxACzVAiOlt4-1b-k4fXoLYu6
hgf9EwNsXjUpPHOy7iTskkZaA8BvJjCPZIo70EWJtQ5FEGtIO
ao9GoeUBxkRmSkIPqlxvhdGEkOx_YYAK2FgokfoRJtqZlutIr
NFHKoo6EF0wTy4dfsHMPmsLbK49OLE5m_kM-FQw0q7LyFhAnj
e4leVjmnj0cWa_PQeUJ8aO4MRUb2C2fY0_v77HgHDY9xlor-A
Ql-39IKKfb8HbhFAhq0E4SZnnSCg04auFL9mEwFZgvxWqp5by
lCpv5si-pNNiqJQP9su0iWzbo7yJbMVTbJz_ybYBhZH3JS457
yYrCD6UChKOOjrQIrjl7Eg0kAUX2ccg0ltL4r_S8q_qBwJ0J_
iHzYhTqqMvEns0j4t36BT1JflAsS9oi4woy-fMDNTDsudkOhC
THiBBVCdmOGK9_HiQxD0Fi24U-TpBKMdTFpHb_XOAniaZ-NYe
7zqPtGbeNdI29RoS-05tacoKoQTf35KCDmFta02ScliFdsAlL
fdnzvKvUexgaESG1ftpW1jO9PxuTGzx1xX5pe0Gr8V4XDRSzm
wKpdcCiYqGYB78liF3QQkWzcw-WV-yVWXHHYLyehLEtPVyGq_
-SArq48RQPekPgDhdlf6Rm1DxHJax5O_yxWppP8jrBnxtmgW9
r2gCjxljRXnvTtE2iASBXPiMQMJzKcBOPYHdVccEy-Y55NFhe
AFgJ-8-2FY-m3xk8tEejD6b1nKgrRcY34XcA4Lo0uZnAJuSeE
SZROpKsEjO8zK9h2heG8hc5T5q-ahPtD1SAjjnllE=

Notice the text string "taco" about 2/3 of the way through the file. Coincidence?

Re:Google is doing fine for regular searches...

[mla_anderson]

It's base64 encoding but using a non-standard alphabet. Standard base64 doesn't have "-" or "_" IIRC.

Browser Specific

[nsingapu]

Webmasterworld has an interesting thread which details the problems are user agent and locality specific (for me in SoCal IE and Firefox are borked, Konqueror is working, but others report no problem with Mozilla or no problems in certain locals).

well. com(mercial) is bad anyways

[Keruo]

use mirrors instead:

http://www.google.co.jp/
http://www.google.fr/
http://www.google.se/
http://www.google.fi/
http://www.google.ca/

all above seem to be responsive atleast to me

Re:Google is doing fine for regular searches...No!

[Warpedcow]

I can't do any searches, and I tried both of the ones you referred to, and they both give this error message.

The influence of Google in the world

[Darth+Beto]

I'm in Mexico and Google is still not working! It is amazing that we're so tied to Google that we forget the others search engines (in fact when I couldn't search into Google I thought "well I'll wait a couple of minutes" instead of using another search engine like Yahoo!)

I fear for zeitgeist

[ILikeRed]

Talk about a boring upcoming Zietgeist...

Top query in US:
joejob@yahoo.com

Top query in UK:
joejob@yahoo.com.uk

Browsers used to access Google:
Internet Explorer ... 41%
MyDoom ... 54%
Other ... 05%

I think they are just trying to keep Mozilla's percentage down.

Re:Why the unevenness?

[WormholeFiend]

I tried google.fr and I saw that it had surrendered to the virus.

My productivity...

[Junta]

has gone to hell.

My coworkers may realize I really don't know anything if I can't google up answers real soon now...

Fool me once ... fool me 14 times???

[shrubya]

I can accept ordinary computer illiteracy. People who don't know their mouse has multiple buttons, or who don't know how to quit a program, it's okay. I'm sure they're good at something else. But as long as they aren't complete intentional morons, EVEN ILLITERATES CAN BE TRAINED TO USE COMPUTERS PROPERLY.

But here we are at MyDoom.N, which is the 14th virus in a series that requires the user to:

1. receive an infected email
2. read the email and believe its contents
3. download the attachment
4. unzip the attachment, often password protected
5. run the resulting executable

After ignoring 13 previous warnings, I must move from sympathy to malice. For the sake of all humanity, I beg the author(s) of the MyDoom series and other viruses, in your next version, please include the following instructions:

1. locate a nearby table lamp with the light on
2. remove pants
3. break the bulb while it is glowing
4. insert testicles into bulb socket

If they're dumb enough to get fooled by MyDoom again, they're dumb enough to get themselves out of the gene pool.

Re:Fool me once ... fool me 14 times???

[Maul]

Insert the following (since I've seen it before many times):

3a. User is told by their AV software that the attachment has a virus.

3b. User disables AV software in order to open the attachment.

My mailserver gets attacked all day by these

[TheNarrator]

I have a domain that I host mail for, let's call it thedomain.net. Every day 24 hours a day I get connections from thousands of different computers all sending mail to bernard@thedomain.net, ashley@thedomain.net, and any one of a hundred thousand other possible names at @thedomain.net that don't exist. These machines that connect to my machine are using the user unknown bounces to send spam to forged return addresses.

Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.

I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.

I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.

Re:i was wondering

[poptix_work]

They sent out the email to.. not open your email

How amazingly typical.

Re:Why the unevenness?

[Tackhead]

> Google is BIG. VERY VERY BIG.

"You just won't believe how vastly, hugely, mindbogglingly big it is. I mean, you may think it's a long way down the OC-3 to boobies.chemist.com, but that's just peanuts to Google. Listen...", and so on.

(After a while the style settles down a bit and it begins to tell you things you really need to know, like the fact that Google has different DNS entries depending on which server you look them up from, which is only a partial solution to the bandwidth problem -- so that despite the DNS tricks, any net imbalance between the packets you send to Google and the packets Google sends back to you, must be surgically removed from your pipe: so every time you type "natalie portman hot grits" into images.google.com, it is vitally important to get a receipt.)

Timing is a little too close to be coincidence

[Thagg]

There have been many reports recently of virus writers attempting to blackmail companies. Having this virus, an obvious DDoS attack on Google, happen the same day that Google announced the price of its IPO shares is just what you would expect if the Google didn't pay the blackmail.

I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.

thad

You keep using that word..

[aziraphale]

... I do not think it means what you think it means.

i.e. is an abbreviation for the Latin id est, "that is". It's a synonym for "in other words", "that is to say", or (sort of) "specifically". It does NOT mean "for example", or "such as". For those expressions, you're looking for the Latin abbreviation e.g. - exempli gratia, which means "for example".

Saying this virus "searches your machine for email domains, i.e. yahoo.com", you're actually saying that it "searches for email domains, in other words yahoo.com". This implies that yahoo.com is the only email domain it searches for (or that you are an idiot, and honestly believe that 'email domains' is synonymous with 'yahoo.com'), which makes it seem like a rather pointless search, to say the least.

I.e./e.g. confusion seems to be increasingly common, which surprises me, because it doesn't seem to me that their meanings are at all similar. It seems rather like confusing the phrases 'In spite of which' and 'since Thursday'. Since Thursday, people still seem to do it.

If you really can't remember whether you mean i.e. or e.g., then just write out 'for example' or 'in other words' in full... it doesn't take that much longer.

This thread brings back memories

[WormholeFiend]

I remember that old David Letterman tv joke ad that went something like Dave saying:
"Imagine what the world would be like without television?"
[TV static for 5 seconds then Dave comes back on]
"Scary, wasn't it?"

Now imagine the world without the Internet... +++NO CARRIER

Google can probably take this in stride

[0x0d0a]

Google has a lot of computer scientists and techies, and all they need to do is write a quick regex to match these "banned" searches, slap a 72-hour ban on any IP that's the source of more than, say, 1000 "banned" searches in a day, reply with a static page that says "SOL, your request came from an infected computer, contact your sysadmin" and then start looking for a more fundamental and elegant solution for a long-term fix.

They'll have this patched over in less than 24 hours, for certain.

Re:Why the unevenness?

[vinlud]

Yeah and google.us is currently invading the penguins of Antarctica for their weapons of mass searches