Forgot your password?
typodupeerror
Google Businesses The Internet

Latest MyDoom Variant Gives Google Problems 607

Posted by simoniker
from the down-and-out dept.
Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."
This discussion has been archived. No new comments can be posted.

Latest MyDoom Variant Gives Google Problems

Comments Filter:
  • by Anonymous Coward on Monday July 26, 2004 @12:51PM (#9802725)
    Virus writers want to attack Microsoft or SCO, fine... but this... this is war! YOU DO NOT ATTACK THE GOOGLE!!!
    • by aardwolf204 (630780) on Monday July 26, 2004 @01:04PM (#9802921)
      Ahem, its TEH GOOGLE! get it right
      • Heh. This gives a whole new meaning to the phrase "Google Bombing" [wordspy.com]

        Doesn't seem like it would be all that efficient to google for email addresses. You'd have to do some parsing on the other end to dig them out of the rest of the page content, maybe a little work to make sure they weren't spam armored. Of course, I guess if you've hijacked some poor slobs computer, CPU cycles aren't really your problem anymore.
        • by AuMatar (183847) on Monday July 26, 2004 @02:11PM (#9803849)
          Hate to give them ideas, but- search the cached response, and goodle colors the words. Then just look for the font color tags. That shows exactly where the address is. Wouldn't be that difficult.
        • Doesn't seem like it would be all that efficient to google for email addresses

          It is efficient enough to spread fast and wide. By the time Google had a chance to respond to this the virus had probably attacked 90% of the targets at least once. All Google could do is to reduce followon attacks somewhat. I was hit 450 times, that is not counting the attacks that the spam filter just disconnected on.

          I don't think the real target was Google. MyDoom has been launched several times and 2 out of 3 times there h

    • by didde (685567) on Monday July 26, 2004 @02:29PM (#9804050) Homepage
      This is the 403 Forbidden I get when submiting a gmail address... The most thourough 403 I've ever seen.

      Forbidden
      Your client does not have permission to get URL /search?q=anything@gmail.com&ie=UTF-8&oe=UTF-8 from this server. (Client IP address: [xx.xx.xx.xx])

      Please see Google's Terms of Service posted at http://www.google.com/terms_of_service.html [google.com]

      If you believe that you have received this response in error, please send email to forbidden@google.com. Before sending this email, however, please make sure to take a look at our Terms of Service (http://www.google.com/terms_of_service.html). In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at myFoo.com. My machine's IP address is 10.20.30.40, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is 10.11.12.13." (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)

      We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!

      Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!

      Also note that if you do not send us the entire code below, we will not be able to help you.

      [long-ass-code removed]


      ... Otherwise the service works as usual here in Scandinavia.
    • by 0x0d0a (568518) on Monday July 26, 2004 @03:59PM (#9805017) Journal
      Google has a lot of computer scientists and techies, and all they need to do is write a quick regex to match these "banned" searches, slap a 72-hour ban on any IP that's the source of more than, say, 1000 "banned" searches in a day, reply with a static page that says "SOL, your request came from an infected computer, contact your sysadmin" and then start looking for a more fundamental and elegant solution for a long-term fix.

      They'll have this patched over in less than 24 hours, for certain.
  • Oh no (Score:2, Funny)

    by Anonymous Coward
    Now my hotmail account will start getting spammed :(
  • i was wondering (Score:3, Informative)

    by The Other White Boy (626206) <theotherwhiteboyNO@SPAMgmail.com> on Monday July 26, 2004 @12:52PM (#9802734)
    i was getting errors when trying to search, but people i was talkin to online elsewhere in the country were fine. my whole office was screwin up.

    gmail still works tho, hrm.
  • Ah hah (Score:5, Funny)

    by suso (153703) on Monday July 26, 2004 @12:52PM (#9802735) Homepage Journal
    I thought I was going nuts, I've never had google give me problems.

    I found it hard to remember the names of other search engines that I could use though.
    • Re:Ah hah (Score:5, Funny)

      by boredMDer (640516) <pmohr+slashdot@boredmder.com> on Monday July 26, 2004 @12:56PM (#9802812)
      Other....search engines?

      Do explain such a foreign concept as this.

      Google is the one, the almighty.
      • Seriously, I remember when I used to use Infoseek (or is it GO.com now lol) most of the time, or even the netscape search (pre google default). Then it was on to bigger and better like HotBot, or Webcrawler. Did I ever use Yahoo or AltaVista, or Excite (yeah i used that one). Magellan, remember that one?

        Oh the days of Mozilla, Navigator Gold & Mortal Kombat (the first one) - [gets teary eyed]

      • Re:Ah hah (Score:5, Funny)

        by skinfitz (564041) on Monday July 26, 2004 @02:33PM (#9804093) Journal
        What's a search engine?

        I tried googling for it but it just took me to the home page. I think it's broken.
    • Re:Ah hah (Score:5, Funny)

      by Jim Hall (2985) on Monday July 26, 2004 @12:58PM (#9802849) Homepage

      I found it hard to remember the names of other search engines that I could use though.

      You could do a Google search for them, I suppose... :-)

    • I had exactly the same problem, but had a couple bookmarked:

      Ended up using All the Web [alltheweb.com].

      There's also HotBot [hotbot.com]
      • Yeah, I ended up going to hotbot, which was the search engine I used before google came along. But that was like 4 years ago. Before that I think I used altavista and then yahoo before that and then before that there was lynx and goofer.
    • Re:Ah hah (Score:3, Funny)

      by suwain_2 (260792)
      Just do a search for related:www.google.com [google.com], and Google will tell you.

      Oh, wait...
    • Re:Ah hah (Score:4, Funny)

      by ehiris (214677) on Monday July 26, 2004 @01:16PM (#9803097) Homepage
      I misspelled yahoo 3 times before I got it right.
    • Re:Ah hah (Score:5, Informative)

      by gmuslera (3436) on Monday July 26, 2004 @01:30PM (#9803256) Homepage Journal
      AllTheWeb [alltheweb.com] and Teoma [teoma.com] are good alternatives, as far I remember, and do some things in a smarter way than Google. MSN search is supposed to be improved in a beta URL (there was an history here about it some weeks ago)

      And you have also metasearchers, that not only search google, but also others. If you want almost the opposite of google in simplicity, you can try Kartoo [kartoo.com], where you can have graphs with aggrupations on search results, flash animations and things like that.

      Last, but not least, there are a search engine that you can use to find search engines very close to you. If its good enough, probably there is a Slashdot article on it, so slashdot search is a good first step if all the other search engines you know are down but you still can access slashdot.

    • Re:Ah hah (Score:4, Funny)

      by TimeZone (658837) on Monday July 26, 2004 @02:36PM (#9804125)
      I tried to google "Service Error -27" to find out what the problem was.

      It took about 10 seconds for me to realize I was a dumbass.

      TZ

  • Everything else seems to be ticking ok (news, images, Froogle, etc...)
  • Yup (Score:3, Informative)

    by Anonymous Coward on Monday July 26, 2004 @12:52PM (#9802741)
    I'm getting "
    Server Error
    The service you requested is not available at this time.
    Service error -27
    "
    for all of my search attempts.
  • by ggvaidya (747058) on Monday July 26, 2004 @12:53PM (#9802763) Homepage Journal
    If MyDoom uses certain search strings, you just dump all such searches? Worse case, just dump any search for anything which looks like an e-mail account?
  • CNN is on behind me, and they've been talking about nothing but Google's IPO. Seems like really bad timing for Google. :-(
  • by Jamori (725303) on Monday July 26, 2004 @12:53PM (#9802766)
    Google is down ... the world is ending! The beginning of the apocalypse! (I can't even check if I spelled that right without google)
  • by craenor (623901) on Monday July 26, 2004 @12:54PM (#9802773) Homepage
    Google going down is the first sign of the apocalypse. Now if my wife asks me for sex (the second sign), I'll know the world is going to end...
  • Google key (Score:2, Informative)

    by xenostar (746407)
    To use the Google API you need a key generated by Google, which requires a small registration, so, while of course, if the perpetrator did fill it out, he probably put in fake information, it would still be a good place to start looking.
    • by hrieke (126185)
      Why not (since it's windows programming), create an IE object and have it return the results, this it would appear to Google to be nothing more than just normal traffic?
  • by Quasar1999 (520073) on Monday July 26, 2004 @12:54PM (#9802781) Journal
    503? screw that... why not have a new error number designated specifically for MS infected systems... error 999: The operating system you are using is insecure and has been exploited... you are partially responsible for bringing this server to its knees... Now go in the corner and think about what you've done.
  • Smart (Score:2, Insightful)

    by TheLinuxSRC (683475)
    Get google hammered with a big ol DOS, then post it to Slashdot where they are sure to get hammered some more!!

  • The fact that Google went down appears to have affected the BBC, given that it was given headline news on the radio. Proof that Google has become a world wide institution(or maybe just where the BBC does some of it's "research" :) )
  • What locations? (Score:5, Informative)

    by ErichTheWebGuy (745925) on Monday July 26, 2004 @12:55PM (#9802787) Homepage
    is returning 503 errors on all queries submitted from certain locations

    Is that geographic locations, IP blocks, or what? I can use Google just fine at the moment, but have heard of trouble in California (I am in Colorado). TFA gives no details. Anyone have answers?
    • Re:What locations? (Score:3, Informative)

      by LearnToSpell (694184)
      I can search from home (SSH), but not from work (~15 miles away), in NY.
  • D'OH! I went to go search for the cause on Google News [google.com].

    My world is crumbling...
  • Queries blocked (Score:4, Informative)

    by GoRK (10018) <johnlNO@SPAMblurbco.com> on Monday July 26, 2004 @12:55PM (#9802789) Homepage Journal
    The query that google seems to block in order to work around this problem is a query for "mailer-daemon@domain.com" where "domain.com" is pretty much anything.
  • I would think they're planning on spreading a virus payload around by searching Google/Yahoo out, however Virus writers apparently don't think ahead very well. After the search engines implode from a Massive Ddos attack, A) The bots will essentially be dead when they can no longer search for emails and B) With Google and Yahoo dead,the entire Internet will let slip the dogs of war, if I were this virus writer I'd be deeeeeeep underground right about now (preferably six feet under). Maybe the Ddos attack w
  • Google did a search that took longer than 1 second! Good-bye cruel world!

    *jumps out window*
  • by Pirogoeth (662083) <mailbox@nOSPaM.ikrug.com> on Monday July 26, 2004 @12:56PM (#9802816) Homepage Journal
    ...just use Google's alternate search form [fury.com]...
  • The wxWidget list serve has been hard hit, and I suspect the same is true for other listserves that also post to newsgroups or other generally accessible format (and don't diguise the email addresses).

    Pretty nasty though so far, just a lot of garbage in the in-box. I suspect that anyone with an email address up on a web-site that recieves a reasonable amount of traffic (so probably ranked reasonably well by google) will also see some mail from this approach.
  • by Rude Turnip (49495) <valuation&gmail,com> on Monday July 26, 2004 @12:57PM (#9802828)
    OK, so if Microsoft comes out with an antivirus product, what incentive do they have to immunize Windows-based computers against worms that attack their competitors? (i.e. Google vs MSN Search).
  • by Yo Grark (465041) * on Monday July 26, 2004 @12:58PM (#9802835)
    All Hail My Doom.

    For doing the very thing we always failed at doing.

    OH MY GOD, YOU SLASHDOTTED GOOGLE, YOU BASTARDS!

    Yo Grark
  • Perhaps I'm simply 'located' better, but I can do regular google searches [google.com] just fine.

    But when I ask for "email slashdot.org" it returns a forbidden search page. [google.com]

    So it looks like Google is primarily stopping searches that are typical of this virus, but they may also have automated filtering that stops searches which are too many from IPs and netblocks. This part is probably something they implemented long ago.

    But google is going slower for me today, and sometimes it stalls (some of the frontend machines dropping out a bit more frequently than usual?)

    -Adam
    • I've been unable to access any of the google search services since before 9:30 AM this morning. (austin TX)
    • by Warpedcow (180300) on Monday July 26, 2004 @01:08PM (#9802988) Homepage Journal
      I can't do any searches, and I tried both of the ones you referred to, and they both give this error message. [gac.edu]
    • by RobertB-DC (622190) * on Monday July 26, 2004 @01:22PM (#9803172) Homepage Journal
      But when I ask for "email slashdot.org" it returns a forbidden search page.

      I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search [google.com], will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.

      It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits.
      2r0A6dsI7ZSqFcXMcZGaqVp9OyBGpRpEx8zC0r2-fDqTp9VRX
      Oa5KPnpeHBfPq5nCWFmRKN0EGLyQNyT_Jpi2w_Gph5Lmj8QTC
      I2ARob9EUpW81ypiueUArxRWXxACzVAiOlt4-1b-k4fXoLYu6
      hgf9EwNsXjUpPHOy7iTskkZaA8BvJjCPZIo70EWJtQ5FEGtIO
      ao9GoeUBxkRmSkIPqlxvhdGEkOx_YYAK2FgokfoRJtqZlutIr
      NFHKoo6EF0wTy4dfsHMPmsLbK49OLE5m_kM-FQw0q7LyFhAnj
      e4leVjmnj0cWa_PQeUJ8aO4MRUb2C2fY0_v77HgHDY9xlor-A
      Ql-39IKKfb8HbhFAhq0E4SZnnSCg04auFL9mEwFZgvxWqp5by
      lCpv5si-pNNiqJQP9su0iWzbo7yJbMVTbJz_ybYBhZH3JS457
      yYrCD6UChKOOjrQIrjl7Eg0kAUX2ccg0ltL4r_S8q_qBwJ0J_
      iHzYhTqqMvEns0j4t36BT1JflAsS9oi4woy-fMDNTDsudkOhC
      THiBBVCdmOGK9_HiQxD0Fi24U-TpBKMdTFpHb_XOAniaZ-NYe
      7zqPtGbeNdI29RoS-05tacoKoQTf35KCDmFta02ScliFdsAlL
      fdnzvKvUexgaESG1ftpW1jO9PxuTGzx1xX5pe0Gr8V4XDRSzm
      wKpdcCiYqGYB78liF3QQkWzcw-WV-yVWXHHYLyehLEtPVyGq_
      -SArq48RQPekPgDhdlf6Rm1DxHJax5O_yxWppP8jrBnxtmgW9
      r2gCjxljRXnvTtE2iASBXPiMQMJzKcBOPYHdVccEy-Y55NFhe
      AFgJ-8-2FY-m3xk8tEejD6b1nKgrRcY34XcA4Lo0uZnAJuSeE
      SZROpKsEjO8zK9h2heG8hc5T5q-ahPtD1SAjjnllE=
      Notice the text string "taco" about 2/3 of the way through the file. Coincidence?
  • Browser Specific (Score:5, Interesting)

    by nsingapu (658028) on Monday July 26, 2004 @01:00PM (#9802879) Homepage
    Webmasterworld has an interesting thread [webmasterworld.com] which details the problems are user agent and locality specific (for me in SoCal IE and Firefox are borked, Konqueror is working, but others report no problem with Mozilla or no problems in certain locals).
  • Apparently it only throws an error when trying to search for an e-mail address (it also looks like they are using at least some degree of intelligence to determine if you are or not)

    The following queries generate the error:
    email example.com
    email@example.com

    HOWEVER, the following does *not* generate an error:
    name@example.com

    My guess is that they are filtering queries based upon what the virus searches for. Good for them!
  • I'm in Northern Utah.

    From work, I was getting the Google errors. (I tried refreshing to get on a different machine, but no luck.)

    I could VNC (2 blocks away) to home and search just fine though.

    Funny thing is, I got the same type error on Yahoo.com. MSN.com didn't seem to be affected.
  • Virus writers, when caught, should have their hands cut off -- or at least a mouse finger. The world just doesn't need this kind of crap going on.
  • <BR>
    Here's he HTML of the error page, for the history books ;) It's such a rare thing and many folks may have never seen it and never will...

    <html><head><title>503 Server Error</title><style><!--body {font-family: arial,sans-serif}div.nav {margin-top: 1ex}div.nav A {font-size: 10pt; font-family: arial,sans-serif}span.nav {font-size: 10pt; font-family: arial,sans-serif; font-weight: bold}div.nav A,span.big {font-size: 12pt; color: #0000cc}div.nav A {font-size: 10pt; c
  • This has the effect of punishing people who keep insecure systems by stopping them from using google. Maybe now, some of these people will pay attention.
    You are never too poor to pay attention. -- Dan Rather, 1984, Boston University Commencement.

  • What a great day for the first- and second-runner up search engines. At least for today, I'm running all of my queries through AllTheWeb.com. I guess being less popular proves strangely helpful at a time like this.
  • by Keruo (771880) on Monday July 26, 2004 @01:04PM (#9802932)
    use mirrors instead:

    http://www.google.co.jp/ [google.co.jp]
    http://www.google.fr/ [google.fr]
    http://www.google.se/ [google.se]
    http://www.google.fi/ [google.fi]
    http://www.google.ca/ [google.ca]

    all above seem to be responsive atleast to me
  • by Darth Beto (800298) on Monday July 26, 2004 @01:10PM (#9803008) Homepage
    I'm in Mexico and Google is still not working! It is amazing that we're so tied to Google that we forget the others search engines (in fact when I couldn't search into Google I thought "well I'll wait a couple of minutes" instead of using another search engine like Yahoo!)
  • by ILikeRed (141848) on Monday July 26, 2004 @01:12PM (#9803030) Journal
    Talk about a boring upcoming Zietgeist...

    Top query in US:
    joejob@yahoo.com

    Top query in UK:
    joejob@yahoo.com.uk

    Browsers used to access Google:
    Internet Explorer ... 41%
    MyDoom ... 54%
    Other ... 05%

    I think they are just trying to keep Mozilla's percentage down.
  • by Junta (36770) on Monday July 26, 2004 @01:17PM (#9803109)
    has gone to hell.

    My coworkers may realize I really don't know anything if I can't google up answers real soon now...
  • by shrubya (570356) on Monday July 26, 2004 @01:19PM (#9803137) Homepage Journal
    I can accept ordinary computer illiteracy. People who don't know their mouse has multiple buttons, or who don't know how to quit a program, it's okay. I'm sure they're good at something else. But as long as they aren't complete intentional morons, EVEN ILLITERATES CAN BE TRAINED TO USE COMPUTERS PROPERLY.

    But here we are at MyDoom.N, which is the 14th virus in a series that requires the user to:

    1. receive an infected email
    2. read the email and believe its contents
    3. download the attachment
    4. unzip the attachment, often password protected
    5. run the resulting executable

    After ignoring 13 previous warnings, I must move from sympathy to malice. For the sake of all humanity, I beg the author(s) of the MyDoom series and other viruses, in your next version, please include the following instructions:

    1. locate a nearby table lamp with the light on
    2. remove pants
    3. break the bulb while it is glowing
    4. insert testicles into bulb socket
    If they're dumb enough to get fooled by MyDoom again, they're dumb enough to get themselves out of the gene pool.
  • by TheNarrator (200498) on Monday July 26, 2004 @01:25PM (#9803208)
    I have a domain that I host mail for, let's call it thedomain.net. Every day 24 hours a day I get connections from thousands of different computers all sending mail to bernard@thedomain.net, ashley@thedomain.net, and any one of a hundred thousand other possible names at @thedomain.net that don't exist. These machines that connect to my machine are using the user unknown bounces to send spam to forged return addresses.

    Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.

    I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.

    I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.
  • by Thagg (9904) <thadbeier@gmail.com> on Monday July 26, 2004 @01:37PM (#9803323) Journal
    There have been many reports recently of virus writers attempting to blackmail companies. Having this virus, an obvious DDoS attack on Google, happen the same day that Google announced the price of its IPO shares is just what you would expect if the Google didn't pay the blackmail.

    I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.

    thad
    • Nice theory. Google investors aren't necessarily tech savy people (like on slashdot). They see a problem with a company and they get worried about buying shares in them. But I still can't figure out a way to make money off this. If you were going to short the stock and then pull this off, then you could make some money. Or pull this off and go long and hope things get better.

      I think your idea of blackmail makes more sense though.
  • by aziraphale (96251) on Monday July 26, 2004 @01:57PM (#9803636)
    ... I do not think it means what you think it means.

    i.e. is an abbreviation for the Latin id est, "that is". It's a synonym for "in other words", "that is to say", or (sort of) "specifically". It does NOT mean "for example", or "such as". For those expressions, you're looking for the Latin abbreviation e.g. - exempli gratia, which means "for example".

    Saying this virus "searches your machine for email domains, i.e. yahoo.com", you're actually saying that it "searches for email domains, in other words yahoo.com". This implies that yahoo.com is the only email domain it searches for (or that you are an idiot, and honestly believe that 'email domains' is synonymous with 'yahoo.com'), which makes it seem like a rather pointless search, to say the least.

    I.e./e.g. confusion seems to be increasingly common, which surprises me, because it doesn't seem to me that their meanings are at all similar. It seems rather like confusing the phrases 'In spite of which' and 'since Thursday'. Since Thursday, people still seem to do it.

    If you really can't remember whether you mean i.e. or e.g., then just write out 'for example' or 'in other words' in full... it doesn't take that much longer.
  • by WormholeFiend (674934) on Monday July 26, 2004 @02:41PM (#9804174)
    I remember that old David Letterman tv joke ad that went something like Dave saying:
    "Imagine what the world would be like without television?"
    [TV static for 5 seconds then Dave comes back on]
    "Scary, wasn't it?"

    Now imagine the world without the Internet... +++NO CARRIER

"I have more information in one place than anybody in the world." -- Jerry Pournelle, an absurd notion, apparently about the BIX BBS

Working...