Utah firm's Web site in e-worm's cross hairs
Date: January 29, 2004
Source: The Salt Lake Tribune
By Bob Mims
A malicious new e-mail worm spread like a firestorm Tuesday, infecting millions of computers worldwide and setting up a potentially devastating attack on a controversial Utah company's Web site.
Rivaling last August's infamous Sobig.F, the worm -- variously dubbed "Mydoom," "Novarg" and "Worm.SCO.A" -- exploded onto the Internet. Global e-mail security provider Message Labs reported the virus compromised more than 1.2 million PCs in its first 24 hours -- 200,000 more than Sobig.F had at the same point.
By midday Tuesday, the worm's pace had slowed to about half what Sobig.F reached on its second day, but it still had infected more than 5 million computers in 168 countries, security experts said.
"It may not end up being the worst [worm] we've ever seen, but it is spreading quickly and is having an impact worldwide," said Alfred Huger, senior director of engineering for the antivirus company Symantec. "It is more robust than past worms we have seen."
Hidden in the worm is a time bomb with Lindon-based SCO Group's name on it: On Feb. 1, the virus will issue commands to infected computers to launch a flood of commands to SCO's Web site in a so-called "Denial of Service" (DoS) attack that could crash the site.
SCO launched the first counterattack Tuesday, offering a reward of up to $250,000 for information leading to the arrest and conviction of those responsible for the worm.
The company's Web site has been brought low by several DoS attacks in the 10 months since it sued IBM for up to $50 billion, alleging Big Blue had distributed versions of Linux containing SCO's proprietary Unix code. SCO angered the pro-Linux "open source" community when it then demanded that users of the freely distributed operating system buy licenses from SCO -- or face potential litigation.
"The perpetrator of this virus is attacking SCO, but hurting many others at the same time," said Darl McBride, SCO's president and chief executive. "We do not know the origins or reasons for this attack, although we have our suspicions."
Following past DoS attacks, SCO executives have openly suggested extremists within the open-source community were responsible. Bruce Perens, a leader in the international network of Linux developers, was skeptical of such allegations then -- and on Tuesday.
He suggested the worm was created by spammers, using the DoS command to divert attention from their intentions to hijack infected PCs^; or, that SCO itself released the worm.
"This is either misdirection or an attempt to defame [open source]," Perens said. "But I don't really see this as coming out of our community."
The worm's spread immediately drew the attention of the FBI's Cybercrime Unit, which acknowledged it is investigating in cooperation with the U.S. Secret Service and other law enforcement agencies.
"We have our agents working together with other agencies to determine if there was a federal violation, and if so, what we can do about it," said George Dougherty, spokesman for the FBI's Salt Lake City office.
As for its origins, MessageLabs noted on its Web site that it had identified the e-mail containing the first copy of the virus as being sent from Russia.
Millions of e-mail users awakened Tuesday to find their in-boxes clogged with error messages containing such subject lines as "Mail Transaction Failed" or "Test," among others. Opening the messages can further spread the worm, which, while infecting only machines running the Windows operating system, can still affect other PCs through network slowdowns and mountains of bogus messages.
In Utah, while e-mail traffic visibly slowed, no major servers were reported overwhelmed, as had been the case for some during Sobig.F's heyday.
"We were pretty busy this morning, but after we identified the characteristics of the worm, it was easy for us to stop it from flowing throughout our e-mail server," said Pete Ashdown, owner of Xmission, a Salt Lake City-based Internet service provider.
Added Chad Lake, facilities director for the School of Computing at the University of Utah: "It hasn't had a lot of impact. It has been a burden on our e-mail systems, but we've gotten by all right."
There is no doubt the DoS attack scheduled to hit SCO Group's Web site Sunday could be catastrophic in scope, said Jimmy Kuo of the McAfee antivirus company's Alert Team.
"The automated DoS attack, depending on the number of machines out there affected, should easily bring down SCO," Kuo said, adding that the digital barrage is programmed to last up to 12 days.
He called the worm's author "an experienced hacker," noting he or she deliberately programmed the virus to avoid contacts with military and government servers.
But the worst could still be ahead, even when the SCO attack subsides. Both Kuo and Huger discovered the worm's encrypted code opens up a back door to PCs not protected by antivirus programs -- a port that could be used for an almost endless variety of nefarious tasks. "Anyone, upon scanning for and finding a machine with this particular port open, can then commandeer those machines and make them do whatever they want," Kuo said.
Huger agreed: "This worm turns your PC into an Internet gateway, and that makes it a serious problem -- not just in terms of the impact it will have in the next couple weeks [on SCO] but the problems it could cause for months and even years to come."
^macro[showdigestcomments;^uri; Utah firm's Web site in e-worm's cross hairs]