MyDoom downs SCO site

The computer virus knocks out SCO Group's Web site, and the company expects the massive denial-of-service attack to continue until Feb. 12.

Jeff Pelline Staff Writer, CNET News.com
Jeff Pelline is editor of CNET News.com. Jeff promises to buy a Toyota Prius once hybrid cars are allowed in the carpool lane with solo drivers.
Jeff Pelline
4 min read
The MyDoom computer virus knocked out SCO Group's Web site on Sunday, and the company expects the massive denial-of-service attack to continue until Feb. 12.

On Monday, SCO began directing customers, developers and others to a new Web site, www.thescogroup.com, which it says will be in effect over the next two weeks.

SCO said an onslaught of data had made its usual Web site, www.sco.com, "completely unavailable." The attack began Saturday night and by Sunday morning the software company's site was completely flooded with requests, Utah-based SCO said.

"This large-scale attack, caused by the MyDoom computer virus that is estimated to have infected hundreds of thousands of computers around the world, is now overwhelming the Internet to requests www.sco.com," Jeff Carlon, SCO's director of information technology, said in a statement Sunday.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

SCO had posted the statement on its Web site. But at 7 a.m. PST Sunday, the site could not be accessed. SCO spokesman Blake Stowell read the company's statement from his home in Utah.

"We expect hundreds of thousands of attacks on www.sco.com because of these viruses," Carlon said in a statement Monday. "Starting on Feb. 1 and running through Feb. 12, SCO has developed layers of contingency plans to communicate with our valued customers, resellers, developers, partners and shareholders."

While infected PCs were supposed to start inundating the main SCO Web site with data starting at 4:09 p.m. GMT (8:09 a.m. PST), the site had been nearly inaccessible for a 16-hour period prior to the scheduled start of the attack, according to Internet performance measurement firm Netcraft. The outage could have been due to a large number of infected computers having their clocks set to the wrong time.

SCO confirmed that the site had been deluged with data hours earlier than the official start of the attack. "Internet traffic began building momentum on Saturday evening and by midnight eastern time the SCO Web site was flooded with requests beyond its capacity," the company said in its statement.

The speed and severity of the attack surprised security officials. "This is the biggest single (denial of service) attack ever," Mikko Hypponen, director of antivirus research at F-Secure, wrote in an update on the security company's Web site. "We estimate the total amount of infected computers to be over one million. Of those, only the computers that have been rebooted (or infected) today are actually attacking."

SCO had been targeted for the denial-of-service attack last week. At the time, SCO had said it hoped to keep its Web site running and had contingency plans in place. In its statement Sunday, the company said it would wait until early Monday to communicate them.

"We didn't expect a lot of business on Super Bowl Sunday," Stowell said, explaining the reason to hold off on the contingency plans. The site attracts an estimated hundreds of thousands of users each week, he said. The site is used to communicate information about SCO as well as provide software updates and patches.

SCO has incurred the wrath of the Linux community for its claims that important pieces of the open-source OS are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

SCO has offered a $250,000 bounty for information leading to the arrest and conviction those who are responsible for the virus.

MyDoom is one of the fastest-growing worms ever. The bug raced onto the Internet on Monday, quickly clogging e-mail servers. Some analysts speculate the worm is of Russian origin.

A variant of MyDoom is expected to attack Microsoft's main Web site on Tuesday. Microsoft also has offered a $250,000 bounty to catch the worm's perpetrator.

The attack aimed at Microsoft by computers infected with the B variant of MyDoom is not expected to have as much effect because that version hasn't spread as widely, said Vincent Weafer, a senior director at computer-security company Symantec.

"Really, we are seeing very little of the B variant," he said.

The original virus, which only attacks the SCO site, is continuing its attempts at spreading, he added. During the height of the epidemic, the company received about 150 submissions of the virus every hour from companies and home users. Now, Symantec is seeing about half that rate of submissions, mainly from home users.

"The virus is not dropping off as fast as we had expected," he said.

CNET News.com's Robert Lemos and Jon Skillings contributed to this report.