Latest MyDoom Variant Gives Google Problems 607
Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."
Google is that big (Score:2, Interesting)
Browser Specific (Score:5, Interesting)
503/service error -27 (Score:2, Interesting)
Server Error
The service you requested is not available at this time.
Service error -27
Re:Google is doing fine for regular searches... (Score:5, Interesting)
I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search [google.com], will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.
It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits. Notice the text string "taco" about 2/3 of the way through the file. Coincidence?
My mailserver gets attacked all day by these (Score:4, Interesting)
Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.
I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.
I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.
Timing is a little too close to be coincidence (Score:5, Interesting)
I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.
thad
workaround found using Opera (Score:2, Interesting)
Some users in the UK (Score:3, Interesting)
Go figure. Session handling switches deciding which IP's go where and some end servers of Google's being borked is my best guess.
google shmoogle (Score:3, Interesting)
Oh the days of Mozilla, Navigator Gold & Mortal Kombat (the first one) - [gets teary eyed]
Re:Alright, this means war (Score:4, Interesting)
Re:Alright, this means war (Score:5, Interesting)
Forbidden
Your client does not have permission to get URL
Please see Google's Terms of Service posted at http://www.google.com/terms_of_service.html [google.com]
If you believe that you have received this response in error, please send email to forbidden@google.com. Before sending this email, however, please make sure to take a look at our Terms of Service (http://www.google.com/terms_of_service.html). In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at myFoo.com. My machine's IP address is 10.20.30.40, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is 10.11.12.13." (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)
We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!
Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!
Also note that if you do not send us the entire code below, we will not be able to help you.
[long-ass-code removed]
Re:Google is doing fine for regular searches... (Score:3, Interesting)
Re:Fool me once ... fool me 14 times??? (Score:2, Interesting)
There are no viruses that run as services. Unless you care to show me one. They're all userspace processes. And it ultimately doesn't matter that the user is running under the equivalent of root on Windows - you can delete ~/ just as easily or turn the box into a spam zombie. What you can't do is render the box unusable, but that's not the problem here.
You seem to forget that using Linux means you are no longer married to Intel.
You seem to forget that if the day comes when Linux is actually a viable desktop OS that the unwashed masses can use your claim of "monoculture is teh badd" will be immediately invalidated. There is simply no chance in hell that 5 million people (to use a number) will be using a slightly different version of Mandrake or RedHat. They'll be using whatever came preinstalled with the eMachines they bought from Wal-Mart or BestBuy. There is no chance in hell 23% of them will be running a SPARC and the rest an Intel box. Or perhaps you think 5 million people will suddenly decide to just download Linux and install themselves it on their Windows partition? Or over their Solaris one? They can do that now and Linux is nowhere on the desktop, so that little theory just doesn't pan out.
Oh, and a bash script on a tar file with the execute bit set is pretty much platform independent.
Other than that, your clueless rambling is right on spot.
Re:My Doom? Oh My (Score:1, Interesting)
When is M$ going to be part of the solution instead of always being part of the problem. We just GOT to get more people into using UNIX based platforms.
Google can probably take this in stride (Score:5, Interesting)
They'll have this patched over in less than 24 hours, for certain.
Re:Timing is a little too close to be coincidence (Score:3, Interesting)
I think your idea of blackmail makes more sense though.
It is likely a phishing attack (Score:3, Interesting)
It is efficient enough to spread fast and wide. By the time Google had a chance to respond to this the virus had probably attacked 90% of the targets at least once. All Google could do is to reduce followon attacks somewhat. I was hit 450 times, that is not counting the attacks that the spam filter just disconnected on.
I don't think the real target was Google. MyDoom has been launched several times and 2 out of 3 times there has been an uptick in phishing fraud attacks just afterwards. I don't think that the target was really SCO or Microsoft. Attacking them was just a way to throw investigators off the trail and also to work out which machines would make reliable zombies.
These guys use zombie machines for several purposes. they use them to send spam, to capture credit card numbers and to hide their tracks.
I think it is time to admit defeat with the anti-virus scanning software. We should simply block all executable attachments and zip files containing executable code. Fortunately most encrypted zip file formats do not encrypt the manifest so encrypted files can be blocked.
This type of technology can be written once and is then pretty much maintenance free. Maybe an occasional tweak but nothing like the constant need to work out the signatures of new viruses.