Latest MyDoom Variant Gives Google Problems

Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."

Google is that big

[frankthechicken]

The fact that Google went down appears to have affected the BBC, given that it was given headline news on the radio. Proof that Google has become a world wide institution(or maybe just where the BBC does some of it's "research" :) )

Browser Specific

[nsingapu]

Webmasterworld has an interesting thread [webmasterworld.com] which details the problems are user agent and locality specific (for me in SoCal IE and Firefox are borked, Konqueror is working, but others report no problem with Mozilla or no problems in certain locals).

503/service error -27

[grey1]

I'm getting this every time, nothing to do with the search string:

Server Error

The service you requested is not available at this time.

Service error -27

Re:Google is doing fine for regular searches...

[RobertB-DC]

But when I ask for "email slashdot.org" it returns a forbidden search page.

I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search [google.com], will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.

It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits.

2r0A6dsI7ZSqFcXMcZGaqVp9OyBGpRpEx8zC0r2-fDqTp9VRX
Oa5KPnpeHBfPq5nCWFmRKN0EGLyQNyT_Jpi2w_Gph5Lmj8QTC
I2ARob9EUpW81ypiueUArxRWXxACzVAiOlt4-1b-k4fXoLYu6
hgf9EwNsXjUpPHOy7iTskkZaA8BvJjCPZIo70EWJtQ5FEGtIO
ao9GoeUBxkRmSkIPqlxvhdGEkOx_YYAK2FgokfoRJtqZlutIr
NFHKoo6EF0wTy4dfsHMPmsLbK49OLE5m_kM-FQw0q7LyFhAnj
e4leVjmnj0cWa_PQeUJ8aO4MRUb2C2fY0_v77HgHDY9xlor-A
Ql-39IKKfb8HbhFAhq0E4SZnnSCg04auFL9mEwFZgvxWqp5by
lCpv5si-pNNiqJQP9su0iWzbo7yJbMVTbJz_ybYBhZH3JS457
yYrCD6UChKOOjrQIrjl7Eg0kAUX2ccg0ltL4r_S8q_qBwJ0J_
iHzYhTqqMvEns0j4t36BT1JflAsS9oi4woy-fMDNTDsudkOhC
THiBBVCdmOGK9_HiQxD0Fi24U-TpBKMdTFpHb_XOAniaZ-NYe
7zqPtGbeNdI29RoS-05tacoKoQTf35KCDmFta02ScliFdsAlL
fdnzvKvUexgaESG1ftpW1jO9PxuTGzx1xX5pe0Gr8V4XDRSzm
wKpdcCiYqGYB78liF3QQkWzcw-WV-yVWXHHYLyehLEtPVyGq_
-SArq48RQPekPgDhdlf6Rm1DxHJax5O_yxWppP8jrBnxtmgW9
r2gCjxljRXnvTtE2iASBXPiMQMJzKcBOPYHdVccEy-Y55NFhe
AFgJ-8-2FY-m3xk8tEejD6b1nKgrRcY34XcA4Lo0uZnAJuSeE
SZROpKsEjO8zK9h2heG8hc5T5q-ahPtD1SAjjnllE=

Notice the text string "taco" about 2/3 of the way through the file. Coincidence?

My mailserver gets attacked all day by these

[TheNarrator]

I have a domain that I host mail for, let's call it thedomain.net. Every day 24 hours a day I get connections from thousands of different computers all sending mail to bernard@thedomain.net, ashley@thedomain.net, and any one of a hundred thousand other possible names at @thedomain.net that don't exist. These machines that connect to my machine are using the user unknown bounces to send spam to forged return addresses.

Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.

I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.

I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.

Timing is a little too close to be coincidence

[Thagg]

There have been many reports recently of virus writers attempting to blackmail companies. Having this virus, an obvious DDoS attack on Google, happen the same day that Google announced the price of its IPO shares is just what you would expect if the Google didn't pay the blackmail.

I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.

thad

workaround found using Opera

[googolplexian]

All of my queries that are sent directly through google's website return "Service error -27.", however, all queries sent through the Opera web browser have no problem. Once I've succeeded in a search I cannot do anything else through google (next, cache, etc), because it does not contain a "sourceid=opera" in the query. By copying the address created by Opera, I was able to successfully search using IE. The address I used was "http://www.google.com/search?q=test&sourceid=oper a&num=0&ie=utf-8&oe=utf-8", where "test" was what I was searching for.

Some users in the UK

[@madeus]

Some of the systems, both Windows and Linux are having this problem, while others are not, dispite being on the same subnet (on our NOC lan here in the UK).

Go figure. Session handling switches deciding which IP's go where and some end servers of Google's being borked is my best guess.

google shmoogle

[Prince Vegeta SSJ4]

Seriously, I remember when I used to use Infoseek (or is it GO.com now lol) most of the time, or even the netscape search (pre google default). Then it was on to bigger and better like HotBot, or Webcrawler. Did I ever use Yahoo or AltaVista, or Excite (yeah i used that one). Magellan, remember that one?

Oh the days of Mozilla, Navigator Gold & Mortal Kombat (the first one) - [gets teary eyed]

Re:Alright, this means war

[AuMatar]

Hate to give them ideas, but- search the cached response, and goodle colors the words. Then just look for the font color tags. That shows exactly where the address is. Wouldn't be that difficult.

Re:Alright, this means war

[didde]

This is the 403 Forbidden I get when submiting a gmail address... The most thourough 403 I've ever seen.

Forbidden
Your client does not have permission to get URL /search?q=anything@gmail.com&ie=UTF-8&oe=UTF-8 from this server. (Client IP address: [xx.xx.xx.xx])

Please see Google's Terms of Service posted at http://www.google.com/terms_of_service.html [google.com]

If you believe that you have received this response in error, please send email to forbidden@google.com. Before sending this email, however, please make sure to take a look at our Terms of Service (http://www.google.com/terms_of_service.html). In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at myFoo.com. My machine's IP address is 10.20.30.40, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is 10.11.12.13." (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)

We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!

Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!

Also note that if you do not send us the entire code below, we will not be able to help you.

[long-ass-code removed]

... Otherwise the service works as usual here in Scandinavia.

Re:Google is doing fine for regular searches...

[barcodez]

It is a base64 encoding. Running it though decode-base64 and piping it to the file utility just says it's data. Running strings on the decoded output doesn't yield anything interesting either. $ decode-base64 google.txt | file -

Re:Fool me once ... fool me 14 times???

[The Bungi]

And it can't install itself as a service or anything like the Windows viruses

There are no viruses that run as services. Unless you care to show me one. They're all userspace processes. And it ultimately doesn't matter that the user is running under the equivalent of root on Windows - you can delete ~/ just as easily or turn the box into a spam zombie. What you can't do is render the box unusable, but that's not the problem here.

You seem to forget that using Linux means you are no longer married to Intel.

You seem to forget that if the day comes when Linux is actually a viable desktop OS that the unwashed masses can use your claim of "monoculture is teh badd" will be immediately invalidated. There is simply no chance in hell that 5 million people (to use a number) will be using a slightly different version of Mandrake or RedHat. They'll be using whatever came preinstalled with the eMachines they bought from Wal-Mart or BestBuy. There is no chance in hell 23% of them will be running a SPARC and the rest an Intel box. Or perhaps you think 5 million people will suddenly decide to just download Linux and install themselves it on their Windows partition? Or over their Solaris one? They can do that now and Linux is nowhere on the desktop, so that little theory just doesn't pan out.

Oh, and a bash script on a tar file with the execute bit set is pretty much platform independent.

Other than that, your clueless rambling is right on spot.

Re:My Doom? Oh My

[Anonymous Coward]

Doesn't surprise me in the least. Perhaps the spammers and MyDoom authors are really pissed off that I hosed more then 200,000 of their infected hosts over the past month, so they are taking it out on Google.

When is M$ going to be part of the solution instead of always being part of the problem. We just GOT to get more people into using UNIX based platforms.

Google can probably take this in stride

[0x0d0a]

Google has a lot of computer scientists and techies, and all they need to do is write a quick regex to match these "banned" searches, slap a 72-hour ban on any IP that's the source of more than, say, 1000 "banned" searches in a day, reply with a static page that says "SOL, your request came from an infected computer, contact your sysadmin" and then start looking for a more fundamental and elegant solution for a long-term fix.

They'll have this patched over in less than 24 hours, for certain.

Re:Timing is a little too close to be coincidence

[Stevyn]

Nice theory. Google investors aren't necessarily tech savy people (like on slashdot). They see a problem with a company and they get worried about buying shares in them. But I still can't figure out a way to make money off this. If you were going to short the stock and then pull this off, then you could make some money. Or pull this off and go long and hope things get better.

I think your idea of blackmail makes more sense though.

It is likely a phishing attack

[Zeinfeld]

Doesn't seem like it would be all that efficient to google for email addresses

It is efficient enough to spread fast and wide. By the time Google had a chance to respond to this the virus had probably attacked 90% of the targets at least once. All Google could do is to reduce followon attacks somewhat. I was hit 450 times, that is not counting the attacks that the spam filter just disconnected on.

I don't think the real target was Google. MyDoom has been launched several times and 2 out of 3 times there has been an uptick in phishing fraud attacks just afterwards. I don't think that the target was really SCO or Microsoft. Attacking them was just a way to throw investigators off the trail and also to work out which machines would make reliable zombies.

These guys use zombie machines for several purposes. they use them to send spam, to capture credit card numbers and to hide their tracks.

I think it is time to admit defeat with the anti-virus scanning software. We should simply block all executable attachments and zip files containing executable code. Fortunately most encrypted zip file formats do not encrypt the manifest so encrypted files can be blocked.

This type of technology can be written once and is then pretty much maintenance free. Maybe an occasional tweak but nothing like the constant need to work out the signatures of new viruses.