New virus infects PCs, whacks SCO

CNet ^ | January 26, 2004 | Robert Lemos

[Golden Eagle]

New virus infects PCs, whacks SCO

By Robert Lemos

update A mass-mailing virus that quickly spread around the Internet on Monday is compromising computers so they attack the SCO Group's Web server with a flood of data, according to antivirus companies.

The virus--known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies--arrives in an in-box with one of several different random subject lines such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment."

"It's huge," said Vincent Gullotto, a vice president in security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreak."

In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.

Once the virus infects a PC, it installs a program that allows the computer to be controlled remotely. The PC then starts sending data to the SCO Group's Web server, a Symantec spokesman said.

The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

SCO technicians couldn't immediately confirm that a denial-of-service attack had begun. By 4 p.m. PST, the company's Web site was slow to load, a SCO spokesperson acknowledged, but the site was still accessible from the World Wide Web.

SCO's Web site was taken offline by such denial-of-service attacks a handful of times in the last year. In the past, the company has blamed Linux sympathizers for at least one of the attacks.

Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading about noon PST.

"A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director in antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.

[Bush2000]

The DDOS attacks are almost certainly a misdirection.

There's no evidence to sustain such a conclusion.

[Golden Eagle]

That's a native English speaker, which suggests that the guys who think it originated in Russia are wrong.

LOL, so now you're claiming there's no one in Russia who speaks English?

Did your little detective guy figure that one out for you? Where has he been lately anyway? Over in Russia? Could he have done it?

[gitmo]

Likely designed by foreigners, and definitely a proponent of Linux.

It was definitely them, or somebody else.

[justlurking]

A. No, they're not.

SCO has essentially no revenue other than the cash infusion they got from Microsoft and Sun for "licenses".

B. You're not an arbiter of their fortunes.

No, but I can read the writing on the wall. And, apparently so can SCO, given the concealment of their dispute with Novell until recently.

C. They don't deserve to be DDoS'D.

No, they don't. But, doing so doesn't accomplish anything beneficial for anyone but SCO, who is already assumed the role of "victim". That doesn't mean I think SCO is behind it -- they wouldn't have any use for the backdoor installed on port 3127.

The Linux community is far broader than this forum.

You are attacking the Linux proponents here, not elsewhere.

Time will prove me correct.

If you have no evidence, your opinion is an unsubstantiated guess, and nothing more.

[Golden Eagle]

Well I could be wrong, but motive (along with opportunity) is always the most important element of profiling a suspect. Also there's plenty of experts who feel the same way:

http://www.upi.com/view.cfm?StoryID=20040128-081558-7375r

CHICAGO, Jan. 28 (UPI) -- Internet-based hacker-activists -- known as hacktivists -- seem to be behind the mass e-mailing this week of the MyDoom worm, which has commandeered consumers' computers around the globe to serve as a staging area for another, more potent attack on their primary, commercial target next month.

Computer experts told United Press International that MyDoom -- a self-replicating string of malicious computer code -- could turn out to be the most widespread worm of all time, topping last summer's well-known attack by the SoBig virus.

As of Tuesday, one of every nine e-mail messages being received by the average computer user was infected with the worm, according to research by Central Command, an anti-virus software maker in Medina, Ohio.

So far, there does not seem to be much consumers who use personal computers running Microsoft Corp. products can do to stop the worm -- once it has infected their systems. Computer scientists are striving to complete a cure for it.

"This worm appears to be a form of hacktivism," Gary Morse, president of Razorpoint Security Technology, a computer consultancy in New York City, told UPI. "It is only infecting machines that are running Windows as their operating system, not those that are running the Mac operating system or the Solaris operating system." ...

"They have their own flavor of Unix," an operating system for technical computing projects, Morse said. "They are embattled with IBM and Red Hat and Novell in a fight over intellectual property rights for the software. This has set off discussions on Web boards around the world. And it appears that someone who does not like where SCO stands has taken matters into their own hands."

This is all part of the global, ideological war online between the backers of the free operating system Linux, a version of Unix, and the supporters of the industry standard, Microsoft Windows, Morse said.

http://edition.cnn.com/2004/TECH/internet/01/27/mydoom.spread/

A sneaky e-mail worm continued to clog Internet traffic Tuesday, spreading faster than previous Web bugs by appearing as an innocuous error message.

The worm -- dubbed "MyDoom," "Novarg" or "WORM_MIMAIL.R" -- was copying itself at a fierce pace, so fast that some companies were having to shut down their mail servers to stop it. And a new clue was emerging as to the source of the infection.

Virus experts suggested MyDoom's author was a fan of the Linux open source community, because the bug, which targets computers running Microsoft Windows, launched a Denial of Service Attack on SCO's site. Utah-based SCO Group, which says it owns the UNIX operating system, alleges some versions of the Linux operating system use its proprietary code.

"The MyDoom worm takes the Linux Wars to a new intensity," said Chris Belthoff, an analyst for anti-virus firm Sophos. "It appears that the author of MyDoom may have taken the war of words from the courtrooms and Internet message boards to a new level by unleashing this worm which attacks SCO's Web site."

Past History would lend to that theory as well:

Embattled SCO Group's Web site hit with a 'denial of service' strike

http://www.sltrib.com/2003/Aug/08262003/business/86967.asp

Eric Raymond, president of the Open Source Initiative, called the attack "rather sophisticated" and said he was convinced it had been launched "by an experienced Internet engineer."...

Raymond, who published his findings on the Linux Today Web site, said the unidentified perpetrator had agreed to halt the attack, at Raymond's request. SCO's Web site was operating again by Monday afternoon.

"I had been hoping, and actually expecting, that the attacker would turn out to be some adolescent cracker with no real connection to the open-source community," Raymond stated. But "I was told enough about his background and how he did it to be pretty sure he is one of us -- and I am ashamed for all of us."

[Jim Robinson]

Gets the job done. And it's better than a ball of string and a hundred thousand tin cans (which was my first design for FR).

[Nick Danger]

Are you suggesting that MS knew about the existence of the Eolas patent?

You're changing the subject. I was addressing your crowing over them having enough money to pay the fine and consider it "chump change." I found that a fascinating insight into your views concerning intellectual property protection, especially in light of the charges you regularly level at others on the subject. Anything goes, as long as it's "worth it" eh? Especially if the fine for stealing it is chump change. That's the Microsoft I know and love.

[justlurking]

Gets the job done. And it's better than a ball of string and a hundred thousand tin cans (which was my first design for FR).

LOL!

I think it's a cost-effective implementation. Sure, there is better software that can handle more capacity, but the up-front investment is a lot more expensive.

Jim, you should dream that Free Republic becomes big enough to require that kind of investment to keep up with the demand. :-)

[Nick Danger]

Some estimates conclude that there's a 90% piracy rate in China relating to MS products. With that kind of pervasiveness, it's unlikely that Linux will gain much market share.

So you're disagreeing with the Pompous Parrot over there, who says that Microsoft technologies cost the Chinese money, and therefore better guard our secrets from those commies. The Microsoft stuff is for all practical purposes free -- as in Tsingtao -- in China, isn't it? And when it suits Microsoft to have "pervasiveness" and "market share," they don't really give a damn about those commies getting our technologies, do they? Riddle me this: does Microsoft make the pirate copies themselves, and package them up as Red Flag Windows? If it's all about market share, why not?

It's refreshing to see someone have some sophistication about this subject. For your next act, admit the Chinese have the source code, and they pass that around as well. And don't tell me about the official program... these are guys who steal stuff out of Los Alamos. Redmond is easy; they probably have the sources to last week's build of Longhorn by now.

[Nick Danger]

There's no evidence to sustain such a conclusion.

You didn't read my note. Or you just said that to be a troll. OK, be a troll. In the meantime, everybody but you and the Microsoft shills have figured out that this is professional spammers at work. Read the thread.

[Paladin2]

"We'll eventually get there, and as you know I've always stated that the blame for these sorts of attacks lies solely with the purpetrators"

Perhaps not solely. Windows security faults (both errors of comission and omission) and its near ubiquity seem to encourge those who want to do damage.

As B2K himself put it: "The application ain't jack without the OS".

A virus is an application. It needs an OS to get to the hardware to get something done. Generally, applications can be ported to different OS's. In the case of many virii, it would seem that they exploit the specific implementation of features of an OS and are therefore more difficult to port. If I believed that OS is the center of the universe, I'd have to conclude that M$ is highly involved in many of these attacks.

Fortunately, I don't believe that the OS is really all that important compared to the application and therefore don't blame M$, though it's beginning to look like it would be good to use a different OS for computers connected to the 'net.

[Golden Eagle]

So you're disagreeing with the Pompous Parrot over there, who says that Microsoft technologies cost the Chinese money, and therefore better guard our secrets from those commies. The Microsoft stuff is for all practical purposes free -- as in Tsingtao -- in China, isn't it? And when it suits Microsoft to have "pervasiveness" and "market share," they don't really give a damn about those commies getting our technologies, do they? Riddle me this: does Microsoft make the pirate copies themselves, and package them up as Red Flag Windows? If it's all about market share, why not?

I've never seen ANYONE on Free Republic call so many names! You know, called "name calling", the absolute weakest method of making one's argument? By extrapolation that could like mean your posts are ultimately the the weakest on FR, which is probably correct.

Concerning your "forgive me if I don't understand how I help the chinese" question, all we have to do is cut off trade with China (most, not complete, sell them stuff they have to have like food) until they respect the value of our intellectual property. Simple, if we're going to trade it must be fair trade. But you'd rather let them push us around while you go invest in your future chinese fortune mirage, instead.

[Bush2000]

SCO has essentially no revenue other than the cash infusion they got from Microsoft and Sun for "licenses".

So what. They haven't closed their doors yet and, until that happens, they're a business.

No, but I can read the writing on the wall. And, apparently so can SCO, given the concealment of their dispute with Novell until recently.

I wouldn't worry about SCO. Their suit against IBM could pay hundreds of millions of dollars.

No, they don't. But, doing so doesn't accomplish anything beneficial for anyone but SCO.

As long as the Linux community can hide beyond the anonymity of the perpetrator, SCO won't benefit from this attack.

[Bush2000]

So you're disagreeing with the Pompous Parrot over there, who says that Microsoft technologies cost the Chinese money, and therefore better guard our secrets from those commies.

It's difficult to tell the extent of piracy. The answer is that no one knows for sure.

The Microsoft stuff is for all practical purposes free -- as in Tsingtao -- in China, isn't it? And when it suits Microsoft to have "pervasiveness" and "market share," they don't really give a damn about those commies getting our technologies, do they?

I wouldn't know what MS gives a damn about, Nicky. Why don't you write and ask them?

Riddle me this: does Microsoft make the pirate copies themselves, and package them up as Red Flag Windows? If it's all about market share, why not?

Sure, Nicky, while you're peddling conspiracy theories, why don't you name the guy on the grassy knoll for us, too... /SARCASM

It's refreshing to see someone have some sophistication about this subject. For your next act, admit the Chinese have the source code, and they pass that around as well. And don't tell me about the official program... these are guys who steal stuff out of Los Alamos. Redmond is easy; they probably have the sources to last week's build of Longhorn by now.

Proof, Nicky? Nah. That would be too much to ask for. Forget I asked. I forgot for a moment who I was talking to.

[Golden Eagle]

Proof, Nicky? Nah. That would be too much to ask for. Forget I asked. I forgot for a moment who I was talking to.

Nick rarely ever has any proof of anything. He'd rather type up a whole lot of cheap novel BS, then stamp his little detective man icon on the whole smelly package like it lends it some sort of credibility. What a joke!

[ShadowAce]

Hindering their ability to do commerce on their website will hurt SCO.

Except, as far as I can tell, SCO doesn't do e-commerce. There's all sorts of information there, but I daresay that prospective customers can get information from them merely by calling them up, like they did before the web site existed.

[Bush2000]

Except, as far as I can tell, SCO doesn't do e-commerce. There's all sorts of information there, but I daresay that prospective customers can get information from them merely by calling them up, like they did before the web site existed.

A. I didn't say e-commerce. I said commerce. That's a lot broader than e-commerce. It means disseminating information about its products and services. That means providing contact information. Etc.

B. One major selling point of having a website is that it's up 24x7 and doesn't require human intervention. The same can't be said for a telephone.

C. Many people prefer to do their own information-gathering without having to deal with salespeople calling them night and day.

[ShadowAce]

I didn't say e-commerce. I said commerce.

Point taken. I misunderstood.

[sam_paine]

But it's all Microsoft's fault you say?

Huh? [He says AGAIN?] All I said was it's a Window's executable...which has to be developed by a person using Microsoft's Development Environment. You cannot create a virus that runs on a Microsoft machine without using their development tools. The hacker might like Linux, he might hate SCO lawyers, he might hate the RIAA and he might be Italian. If the exploitable holes exist, they will be exploited...by Microsoft haters or, well, even Italians!

To that extent, the traffic currently bogging down the web is due to the popularity of insecure Microsoft machines connected to it. Yes.

[Golden Eagle]

So it's Colt's fault when somebody shoots someone with a 45 in a fight, I guess then too?