The SCO Group Inc is following Microsoft Corp’s lead in offering a bounty for information leading to the arrest and conviction of a virus writer. SCO will give $250,000 to whoever turns over the author of MyDoom, which is set to attack SCO on Sunday.
MyDoom hit email servers and Windows PCs on Monday, and continued to spread yesterday. It is being called one of the fastest-spreading mass mailer worms ever. It also carries a payload designed to conduct a denial-of-service attack on www.sco.com.
SCO has been hit by a number of DoS attacks over the last several months, apparently carried out by a person or people disgruntled with the company’s attitude to the Linux operating system and software copyrights in general.
SCO is suing IBM Corp for billions over allegations of allegedly copyrighted Unix code being misappropriated and released into the open-source community. SCO lawyers have also been sending threatening letters to large enterprise Linux users.
This one [attack] is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world, said SCO CEO Darl McBride.
The company said it is working with the US Secret Service and the Federal Bureau of Investigation to track down the culprit or culprits. McBride said he has suspicions about the attacker’s motives and identity.
A SCO spokesperson said: We suspect it could be someone from the Linux or open-source communities. He said SCO has seen four DDoS attacks in ten months, and that there is evidence to suggest that one of them was launched by a Linux developer.
MyDoom, having circled the globe once, showed little sign of letting up yesterday, according to some virus experts. Some said MyDoom, also known as Novarg and as a MiMail variant, was unusually fast, some said it was a quite average mass mailer.
Our submission rates haven’t dropped yet, so it’s still moving at a pretty steady clip, said Alfred Huger, senior director of engineering at Symantec Corp’s Security Response unit. It will eventually reach saturation… probably in a day or two.
Keynote Systems Inc, which tracks the performance of many major web sites, said it did see a measurable slowdown during the initial stages of the MyDoom proliferation, though sites were back up to speed by afternoon Pacific time yesterday.
Keynote said the average page load time on the 40 top web sites yesterday morning was between 3.8 and 3.9 seconds, compared to an average of 2.7 the previous week. On Monday, during the height of the attack, 4 seconds was the average.
Postini Inc, an email security company that specializes in spam filtering, said it was processing 3.5 million MyDoom messages per day and that the virus was accounting for 90% of all viruses being blocked by the company.
Experts said MyDoom’s payload is designed to start flooding SCO’s web sites with HTTP commands between February 1 and February 12. Since it is targeting the domain, rather than an IP address, SCO’s options for mitigating the attack are slimmer.
Microsoft experienced a similar problem with Blaster, or MSBlast, last summer. The Microsoft domain windowsupdate.com was targeted by infected computers, which could have caused a significant DDoS.
Microsoft’s response was not exactly textbook, although it was effective. It realized it wasn’t using windowsupdate.com anyway – Windows is configured to go to windowsupdate.microsoft.com – so it simply turned the domain off.
Microsoft was also the first company to put money on the heads of virus writers. The firm will pay $250,000 to whoever turns in the authors of SoBig or Blaster. It has also set aside $5m for future bounties.
SCO will not be able to do this. A spokesperson for the company said it is working with its ISP to mitigate the effects of the attack, and that it has managed to fight off similar (though perhaps not as large) attacks before.
This article is based on material originally published by ComputerWire