February 05, 2004, 12:00 AM — No matter hard you try, sometimes it's just not possible to prevent --
well, lets call it an anomaly. Even when you know it's coming.
SCO, the Utah-based company that believes it owns Unix and has been
suing the pants off Linux devotees for allegedly infringing on the Unix
kernel, is having some difficulties of its own. Payback from the Linux
community? Who's to say?
That miserable "Mydoom" or "Novarg" virus, the one that's giving your
e-mail system fits lately, apparently was programmed to hunt down and do
vary bad things to SCO's Web site. The coordinated attack bombarded the
SCO site with hundreds of thousands of requests, crippling the site.
Indeed, while Janet Jackson was exposing herself during half-time at the
Super Bowl, I was at my PC, trying to access the SCO site. I was
unsuccessful. In fact, at noon the next day, I still couldn't get any
response from the SCO site.
I guess it's one thing if your (or your customer's) site is merely
informational or a place where users come to download an occasional
update or patch. But if the site is transactional in nature (bank,
travel agency, commerce, etc.), a business literally comes to a
screeching halt. That is a very bad thing.
But here's the interesting part: SCO knew the attack was coming and was
still powerless to do anything about it.
One of the companies who follow this sort of thing is Symantec, purveyor
of various antivirus and antispam products (perhaps they fall short of
bring described as a "solution"). As of Feb. 1, the Symantec Security
Response (SSR) team logged the following W32.Novarg.A@mm/MyDoom
-- Total submissions: 15,930. At its peak, Novarg was spreading at a
rate of 150 infections per hour. On Friday, Jan. 30, it was spreading at
a rate of 100 infections per hour. As of Feb. 2, SSR is tracking 80
infections per hour. Although the infection rate was tailing off, this
could be because most businesses are closed on weekends.
-- Novarg still appears to be propagating -- almost entirely via e-mail,
but most of it is being caught at customers' perimeter.
-- There has been 4,857 unique IPs scanning for Novarg backdoors running
on TCP 3127. This is one place where security scanners look for
The volume of Internet traffic attempting to access the SCO Web site
began to rise Saturday night, flooding the company's Web servers just
after midnight. Essentially, hundreds of thousands of computers were all
trying to access www.sco.com simultaneously and repeatedly. No company,
not SCO, not Microsoft's, not yours, and not your customers' can handle
that amount of bandwidth. Like a human body shutting itself down as it
rejects a transplanted heart, SCO's Web site threw it's binary hands up
in defeat, and rolled over.
Forget that this is probably the Linux community beating up its sworn