As the virulent MyDoom worm races across the Internet, building an army of computer zombies
potentially 500,000 strong, The SCO Group, Inc. is setting a $250,000 bounty on the virus
author’s head.
SCO, an embattled player in the Linux market, reported today that it is experiencing a
distributed denial-of-service attack related to the MyDoom worm that first hit the wild on
Monday. The Lindon, Utah-based company is offering the reward for information leading to the
arrest and conviction of the virus author or authors.
”During the past 10 months, SCO has been the target of several DDOS attacks,” reports Darl
McBride, president and CEO of The SCO Group, Inc., in a written statement. ”This one is
different and much more troubling, since it harms not just our company, but also damages the
systems and productivity of a large number of other companies and organizations around the
world.
”The perpetrator of this virus is attacking SCO, but hurting many others at the same
time,” he adds. ”We do not know the origins or reasons for this attack, although we have
our suspicions. This is criminal activity and it must be stopped.”
SCO, which has been embroiled in legal wranglings over Linux and open source issues, also
reports that it is working with the U.S. Secret Service and the FBI to figure out the
identity of the virus writer.
MyDoom, by many accounts, has become the fastest spreading virus ever, even surpassing
Sobig-F, which tore up the Internet late last summer. Mi2g, a security analysis company
based in London, reports that the worm, in just 48 hours, has caused $3 billion in damages
worldwide, and has spread to more than 170 countries.
The mass-mailing worm, also known by some security companies as Novarg, hit the wild on
Monday and has been racing around the globe infecting computers with backdoor trojans and
proxies. And Steve Sundermeier, vice president of products and services at Central Command
Inc., an anti-virus company based in Medina, Ohio., says at its peak yesterday MyDoom
accounted for one in every six emails. Wednesday morning it was down to one in every eight
emails.
At its peak, Sobig-F accounted for one in eight emails.
Sundermeier also notes that they’re estimating that the worm has successfully compromised
450,000 to 500,000 computers around the world. All of those machines now could be used to
point a DOS attack against SCO.
”MyDoom looks like it has peaked but we’re still getting pounded with intercepts,” says
Sundermeier. ”It’s still spreading like wildfire. It’s going to be damaging to SCO
potentially, but it also has the ability to drop the proxy server to set up each infected
machine for future trouble and spam.”
SCO could not be reached for comment by deadline.
The Central Command Web site has posted a description for the first MyDoom variant —
MyDoom-B. It notes that as of yet there is no sign of it in the wild.
MyDoom spreads via email and by copying itself to any available shared directories used by
Kazaa. It harvests addresses from infected machines, and generally uses the words ‘test’,
‘hi’ and ‘hello’ in the subject line.
Analysts say MyDoom is spreading so quickly because it is successfully fooling users into
opening firs the email and then the attachment. The email often disguises itself as an email
that the user sent that has bounced back. The user, wanting to know why the email failed,
opens it up and then sees a text file icon, instead of the icon for an executable.
MyDoom also sets up a backdoor trojan in infected computers, allowing the virus writer or
anyone else capable of sending commands to an infected machine to upload code or send spam.
The worm has a kill date of Feb. 12. That is leading some analysts to suspect that variants
are being prepared to follow on the heels of the first one.