RealTime IT News

SCO Shifts, Microsoft Braces for Next MyDoom

Microsoft officials launched a last-minute reminder to Windows users Monday afternoon to prevent the spread of the MyDoom.B virus that's targeting its home page.

MyDoom.B is a variant of the W32.Novarg.A@mm (MyDoom.A) e-mail virus -- which targeted the SCO Group Sunday -- that sends Microsoft Outlook and Outlook Express users an official-looking email with a zip file attached. Once opened, the virus grabs the email addresses found in the program and forwards itself, while putting code in the user's system to enable a distributed denial of service attack . At a pre-determined time (found in the malicious code), the zombied machines then send page requests to the selected site.

The attacks have already begun, according to network traffic monitoring site NetCraft, which shows Microsoft home page request spikes since roughly noon Monday. According to SCO officials and security experts, many MyDoom.A-infected computers with improperly-set times on their computers launched the DDoS attack early. The same appears to be happening to Microsoft.

Microsoft officials are quiet on the specific steps they are taking to combat the virus. A spokesperson told internetnews.com users with infected machines should visit Microsoft's MyDoom virus page for details on removing the code if they don't have anti-virus software to do it for them.

"We are doing everything we can to ensure that Microsoft properties remain fully available to our customers," the spokesperson said. "Microsoft is aggressively working with our virus information alliance partners to help protect customers from this outbreak."

Microsoft officials are hoping to avoid what happened to the SCO Group, which was forced to move its home page to a different URL today after the MyDoom.A virus knocked out its home page, www.sco.com on Sunday. The home page can now be found at www.thescogroup.com.

The latest move comes less than a week after The SCO Group and Microsoft each offered $250,000 for information leading to the arrest and conviction of the virus author or authors.

While SCO officials were quick to blame Linux enthusiasts when the virus' intent was first discovered, experts now think the virus originated from spamming outfits out of Russia, according to a report at Linuxworld.com. The Lindon, Utah, company has been the subject of several Web site failures last year, which officials claim were instigated by members of the Linux community in protest to the company's lawsuit against IBM for copyright infringement. The MyDoom.A virus was set to launch the DDoS attack against SCO on Feb. 1 and has a trigger date to stop spreading on Feb. 12. The SCO Group claims that the virus has caused $1 billion in lost productivity and damage to businesses worldwide. A variant of the MyDoom virus was also expected to hit Microsoft's Web site on Tuesday, Feb. 3rd.

According to a Weblog of security outfit F-Secure, the MyDoom.A virus is the "biggest single DDoS attack ever," affecting more than one million computers worldwide. They don't expect MyDoom.B, targeting Microsoft, to be nearly as widespread as the A version.

Blake Stowell, a SCO spokesperson, told internetnews.com the move to a different site is only temporary and that the company plans to move its home page back sometime after Feb. 12, the end-date of the virus.

"Certainly, between now and (Feb.) 12th we plan to continue testing to see if our original company Web site is able to go back up again and if it is, we'll certainly have it up and running," he said.

The home page moves puts SCO's home page dangerously "close" to a hostile anti-SCO Web site, www.thescogroup.net, so officials are likely going switch back to their original site as soon as possible.

Despite SCO Group's move to another site, Stowell said he doesn't expect the move to significantly damage its online operations. The original Web site crashed over the weekend, he said, at a slow time for conducting business.

"The company does 80 percent of its commerce on the Web, however that commerce is not done at the www.sco.com Web site," he said. "With (the site) down, we're still able to conduct the business online that we need to."

Various group had asked the company to remove the DNS servers hosting the www.sco.com site, as the DDoS attacks were creating Internet traffic bottlenecks around the world. According to officials at NetCraft, an Internet monitoring site, SCO "may also have been the subject of pressure from ISPs to put a stop to the http traffic.

According to AlertSite, a Web site monitoring company, SCO's site was available sporadically until about 1:00 am on Sunday, Feb. 1, at which point it crashed. In addition, the group reported that the Microsoft.com Web site "experienced some fairly significant performance degradation" on Sunday as well, when the company's home page was about 24 percent less responsive compared to the prior two Sundays.