[Dshield] MyDoom-A/B

Pete Cap peteoutside at yahoo.com
Mon Feb 2 13:12:03 GMT 2004


John,

Think sneakier.
SCO is claiming that the Open Source community in general represents a threat to truth, justice, and the American Way.  They want to paint a picture of Linux users as renegades who do not care for standard business practices.  With this in mind it would make sense for them to release a "pro-Linux / anti-SCO" virus and target themselves.

Did anyone else hear that the code contains some message along the lines of "Sorry, nothing personal, I'm just doing my job."
 
Is the author that much of a jerk, or was he paid to write this?
 
Hmm...
 
Regards,
Pete

John Sage <jsage at finchhaven.com> wrote:
All:

On Sun, Feb 01, 2004 at 09:34:19AM -0500, Johannes B. Ullrich wrote:
> From: "Johannes B. Ullrich" 
> To: list at dshield.org
> Date: Sun, 01 Feb 2004 09:34:19 -0500
> Subject: [Dshield] MyDoom-A/B
> 
> 
> Well, mydoom a & b are now in full swing dDOS'ing sco.com and
> microsoft.com respectively.
> 
> At this point, it looks like 'www.sco.com' is down, but Microsoft.com
> doesn't show an impact so far.
> 
> At least Rogers appears to have changed the sco.com DNS record to
> 127.0.0.1. I haven't heard reports from other ISPs, but if you could
> check please and let me know if your ISP is using this to reduce the
> damage on its own infrastructure.

Before a lot of people start buying into SCO's FUD that they've "been
knocked off the Internet" check out Netcraft's latest "Performance"
update:

http://news.netcraft.com/


Posted by mhp at 09:27 PM UTC on Feb 1, 2004 in Performance:

"Further corroboration of the generally good connectivity across the
Internet can be seen by viewing www2.sco.com. which is on the same
Class C that www.sco.com occupied until earlier this
evening. http://www2.sco.com/ loads very quickly to the eye, and the
traceroute seems very good considering the circumstances.

"A graph of performance of www2.sco.com has just started
appearing. while a comparative table of performance of some of the
sites connected with the MyDoom virus is also available. Each is
updated every fifteen minutes.

"Note that sco.com and caldera.com, which both shared the same ip
address as www.sco.com are still down, possibly because of stale DNS
caching, or perhaps simply because the machine that ran those sites
has been shut down.

% host sco.com
sco.com has address 216.250.128.12
%host www.caldera.com
www.caldera.com has address 216.250.128.12

"The most recent Web Server Survey found some 58 hostnames running web
sites that resolved to this ip address, and one would presume that SCO
is unconcerned about their availability, since it would have been
possible to give www.sco.com its own ip address in the prelude to the
DDoS."



Why would SCO be "unconcerned about their availability"?

Microsoft seems to have been able to cope with this sort of thing
in the past, and presumably will again, very shortly.

Why is SCO so eager to be "downed"?

Having www.sco.com down wouldn't feed into their PR campaign against
Linux, would it?



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!


More information about the list mailing list