Worm Attack Shuts Down Web Site

The Mydoom worm unleashed its payload early Sunday morning, crippling the web site of Santa Cruz Operations.

That site was bombarded with data, causing it to grind to a halt. The company reportedly took the site offline for a few hours overnight and it was still inaccessible Sunday afternoon.

SCO was hit with what is known as a "denial of service attack," which results when a Web site is hit with so much extraneous data that it simply crumbles under the load. It's essentially a deliberate traffic jam, similar to jamming roadway with thousands of extra cars and making it impossible for regular traffic to get through.

Anti-virus firms Symantec and F-Secure analyzed the Mydoom code and predicted that it would start attacking sco.com at precisely 11:09 AM Eastern time Sunday morning, but the bombardment of data actually began closer to midnight. In fact, SCO.com had been sluggish for several days last week. The timing was based on the clock settings of infected computers, which can be off by hours or even days.

The worm is also known as W32.Novarg.A@mm.

As of Sunday morning, the worm had no noticeable impact on overall Internet performance according to Lloyd Taylor, Vice President of Technology at Keynote Systems, a San Mateo, Calif., Internet performance-monitoring firm. Last week, Keynote reported that the onslaught of email from the worm was causing a slowdown in some large business web sites.

As predicted, however, it did totally shut down Santa Cruz Operations Web site. "None of my agents are getting through, which means that the attack traffic is successfully getting through," said Taylor.

The worm can only infect Windows computers but any Internet users can be bombarded with infected e-mail or experience a slow down when using the Internet.

Even though it doesn't appear to be slowing down the Internet backbone, the worm continues to replicate itself by sending out email with attachments. Windows users can become infected if they click on an attached file which typically ends in .zip.

I've personally received more than 1,000 e-mail messages with infectious attachments. My computer didn't become infected because I didn't open any of the attachments, but it has had an impact on my productivity because of the extra time it takes to download and sort through the excess email. All that extraneous e-mail also tends to bog down corporate networks and Internet service providers. Infected e-mail may appear to come from people you know because the virus can harvest e-mail addresses from contact lists as well as other sources.

This is not the first time that security experts have been concerned about the overall impact of a worm or virus. Warnings were issued in July, 2001 about the possible impact of the "Code Red" worm which infected thousands of servers worldwide. However, the worm had no appreciable impact on Internet performance, according to Keynote Systems. Ironically, the July 19, 2001 train wreck in the Baltimore tunnel did cause a slow down (due to cut cables) that some people mistakenly blamed on Code Red.

The Mydoom attack came on Super Bowl Sunday, a day on which considerable Internet traffic is likely because of Super Bowl advertisers urging viewers to visit their web sites. Among those pricey commercials are spots for Apple and Pepsi, announcing a giveaway of free downloadable iTunes music.

Santa Cruz Operations, the target of Sunday's attack, is a Lindon, Utah, software company that is involved in legal actions against IBM and other companies regarding the Linux operating system. The lawsuit has embroiled the company in controversy and has earned it the enmity of many Linux advocates, but there is no evidence that anyone in the Linux user community is responsible for the attacks.

Kaspersky Labs, a Moscow-based anti-virus software company, claims that there is an 80% chance that the virus was created by Russian criminals, in a likely attempt to enlist computers to help disseminate spam.

Santa Cruz Operations, whose Web site has been sluggish all week because of the virus, and Microsoft have offered a $250,000 reward "for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus."

In the mean time, the first or "a" version of Mydoom has an evil twin called Mydoom.b which is programmed to attack Microsoft's website on February 3rd as well as the websites of the major anti-virus companies. The good news is that Mydoom b. has does not seem to be spreading nearly as rapidly as Mydoom.a.

General advice on worms and viruses along with links to the websites of major anti-virus companies is available at www.pcanswer.com/antivirus.htm.

By Larry Magid