Mydoom Shows Vulnerability Of The Web

Mydoom's success at forcing software company SCO Group Inc. to take down its Web site, despite knowing days in advance that the virus would launch a denial of service attack over the weekend, demonstrates that no company is safe from such large-scale assaults.An army of infected computers estimated at between 25,000 and 50,000 machines began bombarding the SCO web server with requests for its homepage Saturday evening. By midnight EST, the bogus traffic made the site inaccessible despite efforts by the company's technical staff to fend off the attack, which experts say was the largest of its kind ever.

An hour later, SCO removed the site from the Internet's global directory, and later advised customers and business partners that its address had been changed from www.sco.com to www.thescogroup.com. The attack on the original site was set to continue until Feb. 12.

The success of the assault demonstrates that any company's web site is vulnerable to viruses capable of turning infected machines into zombies ready to perform the bidding of the malicious code's author.

"We have never seen an attack on this scale from a virus, because we've never seen a virus infect so many machines," Craig Schmugar, virus research manager at anti-virus software maker Network Associates Technology Inc., said Monday. "For any business out there, including some very large web sites, if enough machines are attacking, it's going to have an ill effect."

Options companies have in fending off a denial of service attack include increasing bandwidth to handle the spike in traffic, experts say. However, that option is expensive and may not be feasible for many companies."In some cases, you might be able to filter the traffic ... but in this case you have machines from all over the world," Steve Trilling, senior director of research for security company Symantec Corp., said.

The next target listed in the code of Mydoom.B, a variant of the original virus, is Microsoft Corp.. However, that attack, scheduled to start at 2:19 a.m. EST Feb. 3, is not expected to have much success because very few machines were infected with the second virus.

The original Mydoom is estimated by some experts to have infected a half million machines, while the variant infected substantially less. Both worms, which are a type of virus, were released last week.

"We're talking about hundreds of thousands of infected machines (with the original Mydoom), as opposed to only hundreds of systems infected with the B variant," Schmugar said. "I wouldn't expect Microsoft to suffer even a slowdown."

Even more troubling for many experts than the latest attacks is Mydoom's ability to plant "backdoors" in infected machines. Such programs enable hackers to commandeer the machines to distribute spam, launch more attacks or steal passwords and financial information from computer hard drives.The mi2g Intelligence Unit security group in London estimated Sunday that the Mydoom worm had caused $38.5 billion in economic damages worldwide, making it the most expensive computer virus ever. The SoBig virus was estimated to have caused $37.1 billion in damages.

D.K. Matai, executive chairman of mi2g, said the success of Mydoom, despite a week's worth of advance knowledge and the involvement of the U.S. Department of Homeland Security in issuing virus alerts, showed how easily a genuine cyber-terror hostile attack could be launched and sustained.

Microsoft and SCO have each offered a $250,000 reward for the arrest and conviction of the Mydoom author. The companies also are assisting the Federal Bureau of Investigation and the U.S. Secret Service in their investigation of the virus. Interpol, an international police organization, is also investigating.

Some Internet observers have speculated that SCO was the target of Mydoom because of company's legal challenge of the open-source operating system Linux, which the company claims contains its copyrighted code. SCO's lawsuits have angered the Linux community and its supporters.

However, members of the Linux community have denied involvement, claiming someone may be trying to discredit the group's work.0