As expected, the Web site of the SCO Group this weekend was hit by a massive distributed denial-of-service attack generated by the Mydoom-A worm. The embattled company has set up an alternate site.
SCO has removed its homepage, www.sco.com, from DNS to eliminate the associated traffic generated by the attack. DNS servers correlate domain names with the underlying numeric IP address of Web sites. Users who try to access www.sco.com now are immediately denied access at their local DNS servers; SCO is using www.thescogroup.com instead. The Lindon, Utah-based firm has been under fire for its $3 billion suit against IBM; SCO is alleging that Big Blue donated Unix code to the Linux kernel.
The company plans to use the alternate site until Feb. 12, when the worm is coded to shut itself off, or whenever the attacks stop "because many computers may not have their [time] correct," said Blake Stowell, SCO's director of public relations. "This is a temporary measure."
The attack began in earnest around midnight EST Sunday.
"Within an hour, we saw a significant spike in traffic, and our site was no longer responding to requests," Stowell said. "We were under a full scale denial-of-service attack by 1 a.m. EST."
Another variant of the worm, Mydoom-B, is slated to start a similar attack tomorrow on both SCO's site and Microsoft's Web site, but that attack won't likely be an issue. While Mydoom-A has infected hundreds of thousands of systems, only a slight fraction of that were hit by Mydoom-B.
Both companies have offered $250,000 rewards for information leading to the arrest and conviction of the people who wrote the worms.
There really wasn't much SCO could have done over the weekend to keep its site online. The attack was the largest single DDoS attack of all time, said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp. "It could have taken down much larger sites or multiple sites easily," he said.
The company tried to keep the site online for a while, but by midday Sunday, it had removed the site from DNS. Doing so minimized the disruption of the attack on the Internet as a whole. "It means the attack won't also clog up the route leading to SCO's Web site," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
No one knows why the worm is preset to stop working on a particular day. In theory, if it wasn't for the kill date, the DDoS attack could go on forever and keep www.sco.com offline permanently.
"It really is a mystery. We have been seeing a lot of worms over the last year and a half with such suicide dates," Cluley said, noting that the Sobig family of worms had kill dates. "The theory is they released updated worms after their previous creation has died off."
Some speculate that the worm's attack on SCO is just a smokescreen for its true purpose: creating relays for use by spammers. Mydoom-A opens ports 3127 to 3198 on infected machines. Malicious hackers could use the ports to run code on infected machines.
The worm writer may have targeted SCO's Web site to divert attention. Or he could "just be sympathetic to the open source community," Cluley said.
SCO has not explicitly accused the open source community of being behind the worm, but the Unix vendor has made insinuations.
"We have our suspicions, but we don't have any concrete evidence," Stowell said. "This is an ongoing family feud, so to speak. When you have a family feud, it's no mystery about who is causing problems. We saw a number of things over the weekend that add insult to injury by the Linux community in some cases."
By contrast, no major figure in the open source community has publicly condemned the attacks. Stowell said that SCO has found the open source community's silence deafening.
"We believe many in the Linux community have been mysteriously silent and are not condemning these actions ... and are sitting on the sidelines cheering on the results," Stowell said.
Some in the open source community have addressed the issue. In fact, Bruce Perens, a Linux luminary, posted a message on his personal Web site last week implying SCO may have been involved with the attack itself.
"SCO also has a reason to defame us," he wrote. "Such a company would not balk at attacking their own site in order to paint their opponents in a bad light."
That being said, Perens does urge people in the open source community not to cheer the attacks: "Our community believes in freedom of speech, not silencing our opponent's speech through Net attacks. We will defeat SCO using the truth, not by gagging them."
Stowell doesn't buy Perens' logic. "We find it laughable that Bruce Perens would suggest that SCO would create a virus, propagate it on the Internet, infect thousands of computers, offer a reward and invite the FBI into our offices to investigate," he said. "It's completely laughable. It's tough to address why he'd even make a comment like that."