The SCO.com Web site returned to the Internet last week after suffering a denial of service attack that lasted for more than a month.
The SCO Group Web site was the main target of the MyDoom worm, which is a variant of the Mimail virus and was first discovered towards the end of January. The worm installed a back-door program that allowed infected PCs to be controlled remotely. The worm was designed to launch an attack on SCO's Web servers between 1 February and 12 February. However, because of incorrectly set PC clocks, the attack continued until the end of last week.
SCO has roused the ire of many in the software community because of a series of lawsuits related to its Unix intellectual property, and for attempts to force companies using Linux to pay licence fees to SCO.
The sheer ferocity of the attack caught SCO and security analysts by surprise and SCO's initial confidence in surviving the attack quickly diminished. Within hours, the SCO site was completely inaccessible, forcing the company to launch an alternative site to maintain its Web presence.
According to Finnish security company F-Secure, SCO attempted to revive the site on 27 Feb at 6:15 a.m. (GMT), but had to take it down again after 30 minutes.
Web site monitoring company Netcraft claims SCO.com was returned to the Internet on Friday evening and over the weekend -- it did experience two short breaks in service, but apart from that it has been performing well.
A spokesman at antivirus company BitDefender told ZDNet UK that although SCO's site was back, it could easily be sent down by another MyDoom-type worm: "Yes, at this moment, there is no attack on the SCO Web site anymore. To restart the attack it is simple: another version of the virus... It's just that," he said.
With virus authors apparently conducting a war of words through their worms' source code, F-Secure said a new attack would not be surprising: "As the new versions emerge -- three or even four in a day -- [a new attack] wouldn't be so difficult," he said.
Talkback
SCO pulled the plug on their website before the virus unleashed its DDoS payload - they removed the DNS record for their web server.
Then they started telling everyone that the virus had brought down their webpage.
For you to be suggesting that MyDoom was written by Linux users who were angry at SCO is unjust. Remember that most worm viruses these days originate from the former Soviet Union, and are typically designed to pass e-mail addresses, passwords, and credit card information to the Russian Mafia.
Analysis of the MyDoom virus has shown that it only uses the SCO webpage as a means of checking whether the computer it has infected has an active internet connection (by using a well-known, reliable website). Other viruses have been known to do this in the past.