The main SCO Group Web site (www.sco.com) was made inaccessible, as expected on Sunday. However, SCO announced Monday that will shift its Web site to another domain, www.thescogroup.com as the destination for the companys Web site through the end of Feb. 12.
The outage, almost certainly is the result of a massive distributed denial-of-service (DDoS) attack from computers infected with the MyDoom.A worm, began Sunday in the Far East. By Saturday midnight, SCOs main site was down.
Meanwhile, the industry analysts said the Internet itself was mostly unaffected by the DDoS attack. Netcraft Ltd. of Bath, England, noted that “[g]enerally, conditions on the Internet [on February 1] seem very acceptable at the moment, with few hosting company sites experiencing failed requests. This contrasts markedly with forecasts from Anti-virus companies and this mornings press release from SCO which reported the Internet as being overwhelmed,” a posting said.
In addition, Symantec Corp., the Cupertino, Calif.-based antivirus and utility company, said “there has been no significant rise in global Internet traffic.”
By the end of Sunday, February 1, SCO removed the www.sco.com entry from its Domain Name System (DNS). As the name now does not point to an address, the attacks have nowhere to go beyond the infected computers.
At the same time, SCO left an old alternate address, www2.sco.com. The page responds quickly, but links in it to SCO products still go to www.sco.com and www.caldera.com (Caldera is a corporate ancestor of the current SCO group) so this pages are still inaccessible.
Some observers suggested, as some did when SCO was knocked out by DDoS attacks in December, that the DDoS did not force SCOs site off the net. For example, Pamela Jones, in a recent article on her SCO news site Groklaw, wondered about the connection between SCO statements and attacks. “Am I misremembering or has anyone else formed the impression that every time Darl [McBride, SCO CEO] gratuitously makes a public statement about SCO being attacked, within a short time, there is some kind of alleged attack?”
SCOs manager for public relations, Marc Modersitzki, insisted however that its main site is under attack. “Our pipe was full.
Sarcastically, Modersitzki commented: “We didnt want to watch the Super Bowl, so we created this.”
Netcrafts performance graphs for SCO also showed the site performing poorly as early as Friday afternoon.
After a week since its arrival, the infection rate for the MyDoom worm seems to be running out of steam. According to Symantec, at its peak, MyDoom was spreading at a rate of 150 infections per hour. On Friday, Jan. 30, rate dropped to 100 infections per hour and on Monday, Symantec Security Response was tracking infections at 80 infections per hour. Still, the Symantec report said: “Although the infection rate appears to be tailing off, this could be because most businesses are closed on weekends.” And, with SMTP traffic still quite high, so Novarg still appears to be propagating— almost entirely via e-mail” and not by Kazaa peer-to-peer file sharing system.
A second DDoS attack from the variant MyDoom.B worm is expected against both Microsoft and SCO on Tuesday. However, security experts said this attack is not expected to be serious due to the limited distribution of the MyDoom.B worm in the wild. Indeed, Symantec reports that the firm has seen “less than a dozen submissions of the B variant.”
