The Mydoom computer virus succeeded in knocking a small Utah-based software company off the Internet on Sunday. Hundreds of thousands computers bore down on the SCO Group's home page, hitting the Web site with a deluge of traffic that quickly overwhelmed it. Meanwhile, there was still speculation that the Web site attack might be a sideshow to the worm's real purpose — aiding spammers.
Traffic began hitting SCO.com earlier than anticipated, late Saturday evening, and by midnight ET, it was offline. The virus was set to initiate its attack at 1609 GMT Sunday, but antivirus experts believe so many computer clocks were set with the wrong time that some infected machines began their attack early.
SCO spokesman Scott Blake said the company decided early Sunday to take its Web site offline, rather than face the attack throughout the day.
"Because it's Sunday, and it's Super Bowl Sunday, we made the decision to just take the site down altogether, so if anyone tries to log in, most people come up with a Google page or an MSN search page saying 'We can't find that site,' " Blake said. The site itself has been temporarily removed from the Internet's address matching system, run by Domain Name Servers that match domain names to their underlying numeric addresses, Blake said. That prevents Internet users from finding the site, and prevents SCO from having to fend off the deluge of traffic.
It also prevents customer from reaching SCO.com, but since SCO doesn't sell software through the site, "there is nothing from a financial standpoint where this will impact us," Blake said. Only customers looking to download software updates will be impacted, he said.
Blake added that the company plans to have the site back online Monday morning.
A similar attack targeting Microsoft Corp.'s Web site fell flat. That attack was a component of a Mydoom variant, Mydoom.B, which infected very few computers.
Vincent Gullotto, virus researcher at Network Associates Inc. says as many as 500,000 computers were infected with the worm at some point last week, and perhaps 150,000 to 200,000 hadn't been disinfected by Sunday. Since each infected machine was designed to hit SCO.com multiple times, he estimated over 1 million requests were targeting the Web site simultaneously.
Still, even with a million or so requests pounding SCO.com, the attack had no impact on the overall performance of the Internet.
"The Internet appeared to be operating normally and withstanding the effects of the MyDoom worm," said Dan Berkowitz, spokesman for Keynote Systems Inc., which monitors the Internet's performance.
SCO may face an additional challenge Monday morning when it tries to reconnect its Web site, Gullotto said. Some infected machines may have been turned off during the weekend, and may initiate their attacks when turned on Monday morning.
Fastest worm ever
Researchers have called Mydoom the fastest-spreading e-mail worm ever. While the spread of Mydoom had slowed by Friday, it was still generating massive amounts of stray e-mail traffic and infecting more computers worldwide.
This weekend, the worm’s second feature kicked in, when it instructed every infected computer to attack SCO's Web site.
While security experts didn't expect the Web site attack to impact the overall health of the Internet, some said it could cause spotty outages – for example, users who share common cable modem lines with infected computers might experience localized slowdowns, said virus researcher Vincent Gullotto of Network Associates Inc. And that should be a concern to Super Bowl advertisers that have Internet components to their pricey television commercials. Advertisers are paying about $2.3 million for a 30-second spot during Sunday’s game.
“With anybody using the Net to market during the Super Bowl, you may at least want to understand what's going to happen on Sunday,” Gullotto said. “It never hurts to have a backup plan in place.”
SCO, which has been targeted in other recent attacks, is in the middle of a prolonged fight with Linux users, but there is no direct evidence directly linking that argument to the attacks.
However, SCO spokesman Blake Stowell said he suspected the Linux community is to blame for the impending attack.
"The previous attacks our on company came from the Linux community, we know that," he said. There is no way to know who is responsible for the worm at this point, Stowell said, but "history would say it is someone within that community that is upset with us."
Might be a smokescreen
But some antivirus researchers think the Super Bowl Sunday denial of service attacks might be a smokescreen, a sideshow designed to distract researchers from the worm’s real purpose — aiding spam — said virus researcher Mikko Hypponen of F-Secure Corp, based in Finland.
“The logic in having the attack code on SCO, it could be something to throw the attention to somewhere else,” Hypponen said. “So nobody really paid attention that there is this other functionality.”
The “other functionality” is a simple back door the Mydoom virus installs on infected computers. It leaves an open port, or doorway, onto the computer in a fairly cryptic location. While it would be hard for casual hackers to stumble on this door, the virus author would know exactly where to find infected machines.
Whoever finds the machines would have a willing army of computer zombies to do all kinds of dirty work. Since spammers are frequently disconnected from Internet service providers, they are constantly in search of “proxies,” -- hacked computers that can be used as fresh Internet addresses from which they can send out spam.
“You can re-route e-mails through the machines. It’s exactly what you need if you want to send spam and mask who you are,” Hypponen said.
It wouldn’t be the first time a massive virus outbreak led to more spam, said virus researcher Vincent Weafer of Symantec Corp. Last year’s SoBig virus, which also infected hundreds of thousands of machines, turned out to be a cleverly designed tool to turn home computers into spam proxies. A report released in December by antivirus firm Sophos said one-third of all spam sent at the end of last year was transmitted by such hijacked computers.
“We do know the use of worms as carriers for open proxies has been increasing over the last year,” Symantec’s Weafer said. “A lot of these machines are for hire.”
Months after the SoBig outbreak, antivirus firms were tracking spam sent from IP addresses with computers known to have been infected by that virus. While F-Secure has not yet discovered spam sent by Mydoom-infected computers, Hypponen thinks it will happen.
"“It’s just a theory at this point, but I wouldn’t be surprised if that’s the case,” he said.
Internet chat rooms are full of computer criminals offering such proxies for sale — one estimate suggests a going rate of $5,000 for about 10,000 hijacked computers, Weafer said. “There is real money being spent for compromised boxes.”
FTC tries to raise awareness
The Federal Trade Commission acknowledges that the threat of consumers unknowingly helping spammers is real. Coincidentally this week, the FTC launched an awareness campaign designed to alert consumers to the possibility that their home computers might be used by spammers.
FTC attorney Eric Wegner said he couldn’t say what was behind the Mydoom outbreak, but said it was “highly plausible” that spam was the motivation.
“As it becomes harder to send out hundreds of thousands of messages from one place, the more likely it is that people will try more find more ways — to send out spam,” Wegner said. “This would be one desperate way to try to inject spam into the system.”
He advises consumers to keep antivirus software up to date, to install a firewall to prevent hijackings, and to regularly check the "sent" folder in their e-mail to see if there’s any unexpected activity.
“They should look at what's coming out of their machines to see if there’s anything strange,” Wegner said. “If it looks like their computer might be infected, they should take it offline and run a virus scanner.”
Consumers concerned that they are infected with the worm can download “cleaner” software from the various antivirus vendors. The FTC also has a Web site with more information at http://www.ftc.gov/infosecurity/.