January 27, 2004

New PC Virus Targets SCO's Web Server

From CNet.

"Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity."

In other words, your computer is highjacked and used to participate in a Denial of Service attack on SCO's website.

According to Network Associates, Inc., this bug is a variant of the Mimail virus, arriving as an email with an attachment that looks like a text file to an unwary observer. Its payload is 22,528 bytes. It affects multiple Windows platforms: 95, 98, ME, NT, 2K, and XP. When the infected file attachment is opened, it installs a program that the attacker can use to open a sort of "back door" on the system. They exploit the opening by installing addtional programs onto the compromised hardware; this also allows the intruder to hide the source of his attack by routing his connection through the infected computer.

Nasty, huh?

If you use Kazaa, the virus also copies itself into the program's download directory. According to the CNet article, the virus camoflauges itself, "using one of seven file names". Among these are Winamp5, RootkitXP, Officecrack, and Nuke2004. The body text of these files often has a variation of this message: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Obviously, mail systems that remove executable email attachments can be used to halt the advance of this malicious code.

The article touts this as a backlash against SCO. An informal poll I conducted among co-workers this morning yields derisive laughter, which at least supports the reports of general ill-will toward the struggling company. Their server has already been brought down two or three times with Denial of Service attacks. Don't misunderstand me; as little as I respect Darl McBride and his predatory demeanor toward the LINUX community, I don't believe that any company should have its business disrupted this way.

Still, I'd be surprised to learn that Mr. McBride hadn't expected this sort of reaction, which makes me wonder at the implied vulnerability of SCO's web server/s. Multiple DoS attacks would make me take a look at my network, and provide multiple pipes into my domain so that I couldn't be easly taken down by an outside attack. I'd over-provision with redundant servers and multiple routes.

But that's just me. Maybe SCO has done this. Maybe they haven't. I don't know. I don't (wouldn't want to) work for their IT team.

The February 1st date is interesting. On the surface, it seems arbitrary, but I wonder if it corresponds to some piece of LINUX or UNIX history? For example, the UNIX Time-Sharing System (v8) was introduced in February of 1985, and the version that immediately preceded FreeBSD's inclusion in Mac OS X was also a February 1999 release. (I'm talking about v 3.1. FreeBSD v 3.2 was used in Mac OS X, and did not come out until May of that year. I'm stretching, I know. /tinfoil hat)

What this all says to me is that there are some people out there who are seeing themselves as cyber Robin Hoods. They're going to take on SCO, which they must perceive as some sort of emblem of corporate corruption. These e-wolves' heads think they can effect change and deliver a message through their hacking.

Romantic thought. Wrong way to go about it. The joke is on the script kiddies. See, SCO isn't doing anything illegal with their lawsuits. Yes, the ethics can be debated, but that's another horse for another day's ride. By distributing this code and highjacking people's computers, the hackers are committing cyber crime. Once the FBI gets hold of them, they'll be up on some hefty charges.

Frankly, I won't feel so much as a drop of sympathy. The cyber bandits aren't doing anything noble; they're just being stupid. SCO has already doomed itself with its actions. If the company survives the coming days, it'll take them years to recover. Don't give them any legal ammunition--even if they could use at least one supportable legal assertation.

So, be wary. Don't open any attachments you didn't solicit. Scan the ones you did. Protect your property.

Be careful out there.

Display all comments »

posted by Linda at 06:04 PM : Comments (2)