The virulent Mydoom worm paralyzed the SCO Web site yesterday as analysts called it the "most damaging" malware yet.
The "distributed denial-of-service" (or DDoS) attack against SCO began early on Sunday as Mydoom-infected computers worldwide followed instructions to send messages to www.sco.com, overloading the company's Web servers. It is one of the largest DDoS attacks on record, antivirus experts said.
In a statement, SCO confirmed the attack, saying that requests sent to www.sco.com from Mydoom-infected computers were responsible for making its Web site "completely unavailable" on Sunday. The company is working on "contingency plans" to deal with the DDoS problem, but would not have more information before Monday morning, SCO said.
UK Internet security firm mi2g sees the attack as an argument for computer biodiversity, that company's executive chairman DK Matai said: "The more we study MyDoom the more clear it becomes that the perpetrator is a clever strategist combined with being a sophisticated programmer.
"MyDoom is exposing the vulnerability of the collective global digital environment to a software monoculture. Had there been biodiversity in terms of many different operating systems and associated software, the world may have been saved the calamity of MyDoom.
"There could be more malware in the near future that could push the boot further than MyDoom and cripple airline services, telecommunications and other critical infrastructure," he warned, in a plea to expand the infrastructure of the Internet to widen the number of operating systems running it.
SCO's Web site was already slowed last week by traffic from Mydoom machines with incorrect clocks. However, the site became totally unreachable on Saturday, when infected machines in Asia began registering the new day, said Craig Schmugar, antivirus researcher at Network Associates' (NAI) McAfee antivirus division.
The attack is caused by thousands of infected machines sending "get" requests to SCO's Web servers simultaneously. That is akin to what happens when individual users point their Web browser to www.sco.com. The large numbers of machines requesting the site simultaneously produces the attack, overwhelming SCO's Web infrastructure, Schmugar said.
Estimates of the number of machines infected by Mydoom vary widely. F-Secure of Helsinki said that as many as one million machines may have the virus. NAI puts the number at around 500,000 systems.
However, for a variety of reasons, only a fraction of the machines infected by the virus are taking part in the attack, Schmugar said.
Machines that have been turned off for the weekend cannot attack. And due to a coding error in the virus, only around one in four machines that are running and infected will launch an attack, he said.
NAI estimates that between 25,000 and 50,000 machines were involved in the attack on www.sco.com Sunday, Schmugar said.
As of Friday, SCO was speaking with customers about its contingency plans and giving them ways to stay in contact with SCO during the attack. SCO would release more information about steps it was taking to deal with the Mydoom attack "on Sunday or Monday," Stowell said.
The Mydoom virus is programmed to continue its attack on www.sco.com until February 12, 2004, F-Secure said.