The MyDoom virus has shut down the SCO Group’s Web site in an attack that began Saturday night. In a preemptive move, the company removed its site IP address from the Internet’s domain name system (DNS) at approximately 1 a.m. Eastern time, according to Web performance tracking firm Keynote Systems. SCO now is directing customers and others to a new site, www.thescogroup.com, that will be used until February 12th.
At the beginning of the attack, SCO had a statement posted on its site at www.sco.com that informed visitors of the overwhelming Internet requests as a result of the worm. However, by early Sunday morning, the company had moved to its backup plan.
Plan of Attack
MyDoom is designed to force infected PCs to send data to The SCO Group’s Web server between February 1st and February 12th. Despite the February 1st start date for the distributed denial-of-service (DDoS) attack, the worm actually began the attack early, on January 31st.
Mikko Hypponen, director of antivirus research in F-Secure’s Helsinki, Finland, office, told the E-Commerce Times that it was interesting to see MyDoom targeting SCO on Saturday night. However, he noted that since the worm precipitated the largest denial-of-service attack in history, such a turn of events was not surprising.
If SCO had not taken down its site, it would have encountered an even stronger threat as the workday got started in the United States, Hypponen said.
“Remember, the attack was slated to begin as each infected computer was started up,” he said. “That means the attack on Saturday and Sunday was from home computers. It wasn’t as large as it would have been on a Monday, and yet that was enough to take it down.”
Shelter from the Storm
Hypponen noted that SCO should be safe from harm for the time being, now that it has removed its site.
“It can’t crash any harder,” he said. At this point, the site does not exist, so any computers that continue to attack it or that are booted up and attempt to begin an attack will not pose a threat, because they will be looking for a target that has disappeared.
In a statement Sunday, SCO announced it still had a number of contingency plans that would be put in place but would not be unveiled until Monday.
Weaker Virus, Better Immunity
A variant of MyDoom is expected to attack Microsoft’s main Web site on Tuesday, February 3rd. Like SCO, Microsoft has offered a $250,000 bounty for the worm’s creator.
The correspondence in bounty may be where the similarity with SCO ends, however. Hypponen noted that the attack aimed at Microsoft involves computers infected with the B variant of the worm, which did not spread as widely as the variant targeting SCO.
“Microsoft really shouldn’t have any problems,” Hypponen said. “There should be much, much less effect than what we’re seeing with SCO.”
As MyDoom continues to spread, Symantec spokesperson Mark Perry told the E-Commerce Times, one of its effects will be a greater focus on security through audits and other tools.
“It’s showing us that we need to get rid of the weak links in the security chain,” he said.
The corporate sector may find help from the U.S. Congress in its effort to lock down systems. One bill, the Corporate Information Security Accountability Act of 2003, may feature prominently in dictating a mandatory level of security. The act would require all publicly traded companies to conduct a yearly security audit and publish the findings.
Perry said this is the kind of measure that may be necessary to preventfuture worms and viruses from spreading as virulently as MyDoom.
“Any time you see a standard that sets a minimal level of security,” he said, “it’s good for everyone.”