This Sunday, as American football fans await the Super Bowl broadcast, a slow-motion, digital wave will be building on the Internet, a result of the recent MyDoom worm attack. Following the worms dissection by security analysts, the world knows a distributed denial-of-service attack is coming, but theres little that can be done to stop it.
Heres how Sundays distributed denial-of-service attack will proceed: At midnight of the international date line the Windows computers infected by the MyDoom.A and MyDoom.B worms will begin to send large numbers of Web requests to the Web site of The SCO Group, the Lindon, Utah-based Unix vendor; the wave will begin in the far east and move westward around the world. Such a large quantity of requests will overwhelm SCOs Web server, making the site unavailable.
From the data gathered by security researchers, the scope of the attack is in question. Individual MyDoom.A victims may or may not be part of this attack.
According to Symantecs research, only 25 percent of infected systems may participate in the attack. And since there appear to be very few MyDoom.B infections remaining in the wild, the number of systems performing the attack looks to be many fewer than had been feared.
Still, at the height of the MyDoom.A infection early in the week, some 1 in every 12 messages were infected, according to New York e-mail security company MessageLabs Inc. The company said that its filters had stopped more than 8 million copies of the worm by Friday.
So if only 25 percent of infected computers launch the expected DDoS attack, that will still be a very large number of machines. Thus its unlikely that SCOs Web site will stay up and running. The attack is scheduled to continue until February 12.
On February 3, a similar attack will form against Microsoft from computers infected with MyDoom.B. However, major antivirus vendors reported that the infection rate for MyDoom.B was much less than the earlier worm, which it is believed infected hundreds of thousands of systems.
Trend Micro Inc. of Tokyo, a leading enterprise antivirus company, reported seeing exactly one MyDoom.B-infected system in the wild as of Friday afternoon.
While it would appear at this point that MyDoom.B is a bust, Ken Dunham, director of malicious code at security intelligence firm iDefense Inc. of Reston Va., pointed out that MyDoom has a variety of means to update itself, so its possible that there are more MyDoom.B infections out in the public than can be verified at present.
What Can Individuals and
Strictly speaking, the attack will actually begin, if it hasnt already, some time before February 1, since many computers have misconfigured or erroneous system clocks. For the same reason, some computers may never finish their attacks. But the vast bulk of the attack will happen on schedule.
As the Bath, England-based security analysis and consulting firm Netcraft Ltd. pointed out, Microsoft has had some success in the past deflecting such DDoS attacks, such as the Blaster worm last August.
In that case, part of Microsofts strategy was to shift the front-end handling of requests to their Web sites onto Akamai Technologies Inc., a Cambridge, Mass. content-distribution network (CDN) that runs its services on Linux. Microsoft was pragmatic enough to accept the minor embarrassment of having the companys servers appear to be running on Linux. The message boards at Netcrafts Web site pointed out that such a recourse would be a bitter pill indeed for SCO to swallow, given its legal campaign against Linux and open-source software products.
So what will individual Internet users see on Sunday? It will depend on their location and if their computers are infected with MyDoom.A.
If a computer is infected, theres a good chance that its performance will seem sluggish and the Internet connection congested, depending on the speed of the computer and its configuration. If a particular system is uninfected, its still possible that other infected machines on the local network could use enough bandwidth to slow the networks Internet connection.
If a serious attack occurs Tuesday against Microsofts Web site, more people could be affected because Microsofts site is commonly used by its customers for information and software downloads.
Analysts said that infected systems remaining in corporate installations will betray themselves quickly on Sunday, and IT administrators should be able to locate them easily by tracing back the requests to www.sco.com in their log files.
A wave of these requests will also occur on Monday morning when computer users return to work and turn on their systems.