http://www.canada.com/technology/story.html?id=6C29A5E1-9C5B-4EEC-BE98-0D3D5F0B434C STEVE MERTL Canadian Press February 03, 2004 VANCOUVER (CP) - An assault on Microsoft Corp. web sites appears to have fizzled because hackers used a poorly written virus, a Canadian antivirus expert said Tuesday. The attack by the Mydoom.B virus was supposed to start flooding key Microsoft web sites with access requests starting Tuesday afternoon. But instead of armies of so-called zombie personal computers unleashing the onslaught, the attacking force was relatively small. "It seems like the attack was poorly coded and a complete failure," said Jack Sebbag, Canadian general manager and vice-president of Network Associates Inc. "It had less than 4,000 or 5,000 PCs trying to attack the web site. It's basically become an absolute non-issue for Microsoft." A variant of the virus known as Novarg.A crippled the web site of Utah-based SCO Group on Sunday when more than 100,000 personal computers taken over by the worm swamped it in what's called a distributed denial-of-service attack. Sebbag said that attack was continuing but appeared to be waning. "It's very tough to maintain the kind of assault that the worm is destined to accomplish," he said. "With each day that passes, with each hour that passes, more and more people are cleaning up the worm from their PCs by either not opening up the virus or finally updating their antivirus software." Microsoft had already taken countermeasures, including alerting users of its products and setting up alternate web sites where those infected with Mydoom.B could get help to clean their systems. No one from the Redmond, Wash., software giant was immediately available to comment but spokeswoman Amy Petty said in an e-mail that the company's web sites remained accessible. "While we are unable to discuss the specific remedies we took to prevent the DDOS attack, we did make it a priority to ensure that Microsoft web sites, such as Windows Update, remained fully available to our customers," said Petty. She also said a critical security update bulletin released for Microsoft's Internet Explorer program was not related to Mydoom.B. The update was aimed at closing another security loophole in Explorer, making it harder for hackers to steal web information such as user names and passwords. Novarg.A and Mydoom.B used a different, if not entirely new approach to attacking web sites. Previous well-known denial-of-service attacks such as Code Red and Nimbda ordered zombie computers to overwhelm a site's numeric Internet protocol or IP address. That could easily be changed while retaining the web site's name, such as Microsoft.com. Mydoom and Novarg went after the URL or universal resource locator, which includes the name itself, forcing victims to rename their web sites to blunt the attack. SCO set up an alternate site and Microsoft also gave customers another site to access in case its main sites were compromised. "Think of it this way. If a burglar targets your home address it's unlikely you're going to move," said Michael Murphy, Canadian general manager of Symantec, which makes Norton antivirus software. "But if a crank caller continually calls your telephone number you can always get a new telephone number." Sebbag, whose firm produces McAfee antivirus programs, said SCO suffered little actual harm despite the heavy attack because it was not doing much business on Superbowl Sunday. "Had this happened to Microsoft on a weekday I'd imagine the cost would have been a lot more significant to that organization," he said. But while the worst appeared to be over, Sebbag said the doesn't mean the Internet won't face another, perhaps better-written variant. "There may be a Mydoom.C or Mydoom.D." Sebbag was also concerned the success of the SCO attack might encourage other "malicious code-writers" with a grudge to target organizations they don't like. It's believed SCO was hit because it's in a legal fight over aspects of Linux, a freely available operating system that some hope will challenge the dominance of Microsoft Windows. "Eight, nine, 10 years ago, these were 13-year-old kids who couldn't get a date who were writing these worms," said Sebbag. "These are guys who are 21, 22 years old now with access to better tools and a fully populated Internet, with reasons to hate organizations or ties with certain political affiliates who now have the power to launch these type of attacks." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 04 2004 - 04:28:15 PST