SCO downed by Mydoom

Computers infected with the Mydoom worm launched a massive attack against the Web site of Unix software maker The SCO Group, Inc. Sunday, cutting off access to the company's Web site.

The so-called "distributed denial-of-service" (or DDoS) attack began early Sunday as Mydoom-infected computers worldwide followed instructions to send messages to www.sco.com, overloading the company's Web servers. It is one of the largest DDoS attacks on record, antivirus experts said.

In a statement, SCO confirmed the attack, saying that requests sent to www.sco.com from Mydoom-infected computers were responsible for making its Web site "completely unavailable" Sunday. The company is working on "contingency plans" to deal with the DDoS problem, but would not have more information before Monday morning, SCO said.

SCO's Web site was already slowed last week by traffic from Mydoom machines with incorrect clocks. However, the site became totally unreachable shortly after 5:00 PM Pacific Time Saturday, when infected machines in Asia began registering the new day, said Craig Schmugar, antivirus researcher at Network Associates Inc.'s (NAI) McAfee antivirus division.

The attack is caused by thousands of infected machines sending "get" requests to SCO's Web servers simultaneously. That is akin to what happens when individual users point their Web browser to www.sco.com. The large numbers of machines requesting the site simultaneously produces the attack, overwhelming SCO's Web infrastructure, Schmugar said.

The attack is one of the largest DDoS attacks linked to a virus infection, but is not effecting traffic on the rest of the Internet, he said.

Estimates of the number of machines infected by Mydoom vary widely. F-Secure Corp. of Helsinki said that as many as one million machines may have the virus. NAI puts the number at around 500,000 systems.

However, for a variety of reasons, only a fraction of the machines infected by the virus are taking part in the attack, Schmugar said.

Machines that have been turned off for the weekend cannot attack. And, due to a coding error in the virus, only around one in four machines that are running and infected will launch an attack, he said.

NAI estimates that between 25,000 and 50,000 machines were involved in the attack on www.sco.com Sunday, Schmugar said.

Speaking on Friday, SCO spokesman Blake Stowell said that the company had contingency plans that would sidestep the coming DDoS attacks, but did not want to give the Mydoom author advance notice of what those plans were.

He denied that SCO was considering moving its site to a managed network such as the one owned by Akamai Technologies, Inc. Any efforts to block the attack would be managed internally at SCO, he said.

Among the options SCO was considering was moving its Web site to a new Internet address that is not targeted by Mydoom, Stowell said.

As of Friday, SCO was speaking with customers about its plans and giving them ways to stay in contact with SCO during the attack. SCO would release more information about steps it was taking to deal with the Mydoom attack "on Sunday or Monday," Stowell said.

The Mydoom virus is programmed to continue its attack on www.sco.com until February 12, 2004, F-Secure said.

The SCO Web site may be reachable before then, as the owners of infected computers remove the virus from their machines. However the site will probably continue to be slowed until Mydoom turns itself off, Schmugar said.