The computer virus MyDoom.B is programmed to launch an attack against Microsoft’s website, www.microsoft.com, on Tuesday, but anti-virus experts believe it has infected too few computers to cause any major disruption.
The US software company SCO has not been so lucky. It was the target of the first MyDoom virus and on Sunday an army of infected computers launched a massive assault on SCO’s site, forcing it off the internet.
This first version surfaced on 26 January and rapidly spread to millions of computers – analysts say it is the fastest spreading computer virus yet seen. MyDoom.B appeared two days later but has so far resulted in considerably fewer reported infections.
Both viruses spread via email, as an attachment to a bogus technical message. If the attachment is opened, the viruses send themselves to all the addresses in the user’s address book. They also capture keystrokes and plant a program that could be used to control an infected machine remotely.
Advertisement
Clock error
The original MyDoom was programmed to use infected machines to block access to the site www.sco.com by bombarding it with fake requests. This so-called distributed denial of service attack was timed to start at 1609 GMT on Sunday. However, SCO’s website first became inaccessible earlier than this, possibly because the clocks on many infected computers are set incorrectly.
A few hours into the attack, at about 1900 GMT, SCO removed www.sco.com from the domain name system (DNS), effectively deleting the site in order to neutralise the attack. Computers contact DNS servers in order to find the internet protocol address of a web server using a domain name.
In this instance www.sco.com produces the address 216.250.128.12. Removing www.sco.com from the DNS means all traffic, including denial of service requests, will be rejected by the first DNS server a computer contacts.
SCO has upset some companies and individuals by claiming that its copyrighted code appears in the free operating system Linux and demanding royalties from them. The assault on SCO is expected to last until 12 February. Until then, SCO has said it will use the alternative domain name www.thescogroup.com.
Weathering the storm
Mike Prettlejohn, director of UK web monitoring company Netcraft, says it might be possible for a company like SCO to fend off a massive network attack, rather than simply shutting its site.
Requests could be redirected to a company with sufficient resources to cope with the incoming deluge, he suggests, or copies of the site could be sent to distributed servers located around the world. But both approaches would be expensive and so only worthwhile if it was financially important to keep the targeted site alive.
Prettlejohn says Microsoft, which has formidable resources of its own, may decide to weather a surge of traffic from systems infected with MyDoom.B. “If they think they can get away with it they’ll try to,” he told New Scientist. “Millions of people already use their site every day.”
But anti-virus experts say MyDoom.B has infected far fewer computers than its predecessor. “We’re not expecting Microsoft to have a problem,” says Graham Cluley, senior technology consultant with UK anti-virus company Sophos. He says MyDoom.B does not appear to be “in the wild”, meaning anti-virus companies are not detecting new infections.
