January 30th, 2004, 04:14 PM
What a load of crap.. SCO believes My.Doom is result of "linux terrorists"..
I was reading a news group and someone commented that CNN was saying that SCO believes that My.Doom was written by Linux terrorists. So I wanted to find the article. In a google news search I found the following (Bold added by me):
A computer virus that began spreading swiftly across the Internet on Monday is coded to launch an attack on the SCO Group's Web servers Sunday, according to antivirus companies.
Computers infected with the "MyDoom" virus will begin to attempt to connect to the main page of the SCO website Feb. 1. The connection requests will come roughly every second from each of the estimated thousands of machines that are now infected, in an attempt to overload SCO's Web server and knock the company's site off the Internet.
On Tuesday morning, the MyDoom virus was present in one out of every 12 e-mails, according to e-mail security firm MessageLabs, surpassing the SoBig.F virus which, at its peak last summer, was found in one out of every 17 e-mails. SoBig currently tops many antivirus vendors' charts as the most active virus ever to hit the Internet.
But MyDoom soon may top SoBig. More than 1.2 million copies of the virus have been stopped by MessageLabs since it started circulating mid-Monday afternoon, and MessageLabs expects the virus will continue to spread at a furious rate Tuesday.
The denial-of-service attacks against SCO could continue until Feb. 12, when the virus is coded to stop spreading, according to antivirus vendors F-Secure and Symantec.
In March 2003, SCO claimed that its intellectual property had been illegally included in the Linux operating system. The company has since filed legal actions against IBM, Red Hat and Novell. The company also is demanding that corporate users of Linux pay SCO a licensing fee for the use of the open-source operating system.
"Arguments between SCO and the open-source community have been continuing for some months. It appears that the author of MyDoom may have taken the war of words from the courtrooms and Internet message boards to a new level by unleashing this worm which attacks SCO's website," said Chris Belthoff, senior security analyst for Sophos, an antivirus vendor.
"If we ever get our hands on MyDoom's creator our guess is that he will be an open source-sympathizer," Belthoff said.
But while some at geek discussion site Slashdot joked that MyDoom was "the first virus they would willingly load onto their computers," the vast majority condemned the virus writer, saying that SCO should be confronted in the courtroom, not through viruses and denial-of-service attacks.
"This is someone who just wants to feel important and who thinks that by DDoS'ing SCO everyone will call him a hero. Well, you stupid ignorant bastard, if you're reading this -- and you probably are since you expect that the Slashdot hordes will applaud your bravery in damaging thousands of people's computers -- no one admires you," one post on Slashdot read. "Anyone who wants to see SCO suffer for the wrongs they have done should unequivocally condemn such acts of terrorism. SCO will be broken by the weight of justice and right, not by mindless thugware."
January 30th, 2004, 05:03 PM
Isn't it ridiculous. Hopefully noone believes such nonsense.
January 30th, 2004, 05:16 PM
I've been following that Slashdot-discussion, and this one post I found particularly interesting (as in: makes a lot of sense/more sense than "Linux terrorists".)
The overwriting of the host-files carried out by the virus also seems to acknowledge the Russian theory: blocked addresses are the main .com-site, and if available also the .ru and .ch., for example www.avp.com, www.avp.ru, and www.avp.ch.
Since Mydoom has been identified as a variant of Mimail, which is largely believe to have been written on behalf of spammers and/or paypal scammers (apparantly in Russia), the most likely scenario is that the same group created Mydoom.
The attack on SCO is most likely just a diversion. A simple distraction from the actual goal... to turn millions of machines into zombies which can be used to conduct illegal activities (phishing scams), or can turned into email/spam relays to be sold to spammers.
It's already been established that Mydoom installs a backdoor and allows routing of tcp/ip connections to mask the identity of the originator. More or less exactly what scammers hoping to defraud ordinary people of banking details (phishing) need. Also the standard approach to turning machines into a valuable asset that can be sold to spammers in need of mail relays or "bulletproof hosting" for their websites that host the images all those spam messages reference.
Attacking SCO is a smart diversion.... especially if SCO takes the bait and publishes a flamebait press release (seems almost certain), which will of course provoke a response from the free software / open source communities. Lots of free press to help divert the anger of millions of (clueless) victims towards the very visible open source and free software people, and SCO, and away from the real criminals.
Judging from most of the comments here on Slashdot so far, it appears to be working perfectly.
The .ru is the Russian site, the .ch is the Swiss site (dunno why that is).
If I'd be a Russian virus writer, I'd do the same: launch it first in Russia, then make sure no (infected) Russian can get to the anti-virus-sites...
January 30th, 2004, 05:42 PM
Now that makes more sense to me. And pretty smart on their part as well as showing how "determined" SCO is.
What surprises me however is how anti-open source they are. Maybe I'm going on the old concepts but I thought that the old SCO Unix was an open source OS as well?
January 30th, 2004, 05:44 PM
No one thinks it's suspicious that linux users are pissed at SCO and along comes a viurs that does no dmage but lunches a DOS on SCO? That the attack was a diversion from the real issue, ok what is the real issue? Spamming? Why try and hide it? Why not open a port to Microsoft? Oh wait that would also look suspicious on the Linux hats. Ok where the hell was Gore over the last few days???? It's hard to turn millions of machines into zombies when you open a port and start spamming SCO? Kind of defeats that purpose.
January 30th, 2004, 05:47 PM
Not spamming. Phishing. Used to make $$. You know, fake VISA or PayPal emails. That means, let's make some money on the side so let's distract everyone.
Then again, maybe they are disgruntled Open Source supporters. But that said, I'd rather see SCO lose out huge in court and/or back down on their bluff than use a virus. Doesn't make sense.
January 30th, 2004, 06:13 PM
No it doens't make sense, unless your mentality is that of a terrorist. In thinking the pressure you place on SCO will make them back off the lawsuit.
January 30th, 2004, 07:16 PM
I have one for you, RoadClosed. What if a SCO supporter wrote MyDoom to attack SCO and then suggest that it was the fault of the Open Source supporters?? (how's that for a conspiracy theory?)
January 30th, 2004, 08:15 PM
The anarchist in my actually thinks its funny that perhaps a group of Linux Foo Fighters have banded together to take SCO offline, the romantic part of me likes that idea.
January 31st, 2004, 04:49 AM
come on we all know it was apple j/k
i thnik its definitely organized crime making it look like its all about sco.
From an analysis of the virus found here:
from my quick and dirty analysis, its a thread that does the DDOS.
It has below normal priority, and it just does a GET.
GET / HTTP/1.1\r\nHost: www.sco.com\r\n\r\n"
That's about it i think
Has anyone seen the DOS against SCO actually happen?
I have the new critter in a test environment where we conducted a
preliminary and rudimentary functionality and threat analysis and the
only activity I can get it to perform related to www.sco.com is to
resolve the name. In fact, it seems very unhappy if it cannot resolve
www.sco.com. Once it can, it happily scans local files for anything
that can be construed (very loosely) as a domain and tries to resolve
mail servers based on these. In fact, right now it's trying to resolve
'mx.makewin.rsp'. "Makewin.rsp' is a file referenced in the help files
of my DigitalMars C++ compiler on a test machine, so it's not a very
smart worm. The worm also seems to like to increment the third octet of
the host IP by one and syn to port 25 of that address over and over and
over... I have played with the date, etc, but still no activity directed
toward www.sco.com. It did die after 12 February, but gladly
resurrected when the date was set back prior to that.
my first impression was this was the work of the Russian mob but if I were a part of a criminal group here or anywhere, id break into computers in Russia and use them to infect other machines to make it look like it started there. An easy way would be to use iis servers running frontpage extention without the owners knowing they even have a webserver. Set up a page that downloads some original infectors on unpatched machines you direct there threw spoofed mail or irc links. If the original infectors delete themselves and do not infect these machines but just use it to propagate chances are it would go undetected.
Nah! probably the Russian mob
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”