According to the statement, "Internet traffic began building momentum on Saturday evening and by midnight Eastern Time the SCO Web site was flooded with requests beyond its capacity." Jeff Carlon, director of IT infrastructure for SCO, pledged, "While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning."
The MyDoom worm was discovered on January 26th and was quickly proclaimed one of the fastest-spreading worms ever. Its intended attack on the SCO website was widely publicized by both the media and security vendors.
Much controversy has surrounded SCO after claiming last December that the Linux operating system was violating their intellectual property rights in UNIX. "There are a lot of kids out there who feel like SCO's attacking them", commented Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok to attack back."
While a cynic might allege that by playing victim, SCO hopes to gain empathy and publicity for their plight, perhaps they simply didn't know how to take evasive action. Though this does seem implausible, consider that this is the same company that, in the days prior to the 'scheduled' attacks, posted the following "definitions" for malware:
- Viruses are computer programs that cause unexpected results when executed.
- Worms are pieces of code embedded in graphics, word processing documents (though not strictly text documents), spreadsheets, and attachments to emails, such as zipped (compressed) files. They replicate themselves inside the "host" computer, utilizing that computers memory and disk storage resources in the process. Often they "read" that computer's email phone book, and begin sending copies of itself to everyone on the list.
- Trojan Horses are malicious programs that have innocent-sounding names.
Though humorous, the definitions demonstrate a lack of knowledge regarding malware that one hopes doesn't carry over to their understanding of DDoS attacks. See What is a virus? for accurate definitions of malware.
How the attack works
From February 1st through February 12th, the MyDoom worm is programmed to launch a Distributed Denial of Service (DDoS) attack against www.sco.com. A second variant, MyDoom.B, attacks both www.sco.com and www.microsoft.com, but very few copies of MyDoom.B have been discovered in the wild. However, MyDoom.A is extremely prevalent and thus the sustained attack on SCO is significant.
In layman's terms, the MyDoom worm creates 64 threads (or instances of the routine), which make a GET request to the SCO website every second. Put another way, every second, 64 requests for the SCO site are made from the infected machine. Multiply that by the number of infected machines worldwide, and it's a doozy of a DDoS. At the time of this article, nearly 16 million MyDoom infected email had been detected by MessageLabs, and Trend Micro had reported detecting well over 160,000 instances of MyDoom infection. That's a tremendous number of potential infected systems, particularly when one considers those numbers are coming from only from two sources. Each one of the GET requests sent by the worm from the infected system requires a response from the targeted machine, in this case the SCO webservers. Unable to meet the demands of so many simultaneous and sustained requests, the webserver cripples under the pressure and the site becomes inaccessible to all users.
Why the worm spread
Despite continued admonishments from the security community to not open attachments received unexpectedly, obviously tens of thousands of users did just that. Several possible reasons present themselves. Chief among these are the following three:
- The cryptic message used in the MyDoom email
- An attachment icon similar to a text icon
- Nearly 10 hour delay before reliable antivirus udpates were available
- All of the above
Next: Whose fault was it?
