Please create an account to participate in the Slashdot moderation system


Forgot your password?
Google Businesses The Internet

Latest MyDoom Variant Gives Google Problems 607

Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. and searches various engines (such as Google) for email addresses in that domain."
This discussion has been archived. No new comments can be posted.

Latest MyDoom Variant Gives Google Problems

Comments Filter:
  • by Anonymous Coward on Monday July 26, 2004 @12:51PM (#9802725)
    Virus writers want to attack Microsoft or SCO, fine... but this... this is war! YOU DO NOT ATTACK THE GOOGLE!!!
    • by aardwolf204 ( 630780 ) on Monday July 26, 2004 @01:04PM (#9802921)
      Ahem, its TEH GOOGLE! get it right
      • Heh. This gives a whole new meaning to the phrase "Google Bombing" []

        Doesn't seem like it would be all that efficient to google for email addresses. You'd have to do some parsing on the other end to dig them out of the rest of the page content, maybe a little work to make sure they weren't spam armored. Of course, I guess if you've hijacked some poor slobs computer, CPU cycles aren't really your problem anymore.
        • by AuMatar ( 183847 ) on Monday July 26, 2004 @02:11PM (#9803849)
          Hate to give them ideas, but- search the cached response, and goodle colors the words. Then just look for the font color tags. That shows exactly where the address is. Wouldn't be that difficult.
        • Doesn't seem like it would be all that efficient to google for email addresses

          It is efficient enough to spread fast and wide. By the time Google had a chance to respond to this the virus had probably attacked 90% of the targets at least once. All Google could do is to reduce followon attacks somewhat. I was hit 450 times, that is not counting the attacks that the spam filter just disconnected on.

          I don't think the real target was Google. MyDoom has been launched several times and 2 out of 3 times there h

    • by didde ( 685567 ) on Monday July 26, 2004 @02:29PM (#9804050) Homepage
      This is the 403 Forbidden I get when submiting a gmail address... The most thourough 403 I've ever seen.

      Your client does not have permission to get URL /search? from this server. (Client IP address: [xx.xx.xx.xx])

      Please see Google's Terms of Service posted at []

      If you believe that you have received this response in error, please send email to Before sending this email, however, please make sure to take a look at our Terms of Service ( In your email, please send us the entire code displayed below. Please also send us any information you may know about how you are performing your Google searches-- for example, "I'm using the Opera browser on Linux to do searches from home. My Internet access is through a dial-up account I have with the FooCorp ISP." or "I'm using the Konqueror browser on Linux to search from my job at My machine's IP address is, but all of myFoo's web traffic goes through some kind of proxy server whose IP address is" (If you don't know any information like this, that's OK. But this kind of information can help us track down problems, so please tell us what you can.)

      We will use all this information to diagnose the problem, and we'll hopefully have you back up and searching with Google again quickly!

      Please note that although we read all the email we receive, we are not always able to send a personal response to each and every email. So don't despair if you don't hear back from us!

      Also note that if you do not send us the entire code below, we will not be able to help you.

      [long-ass-code removed]

      ... Otherwise the service works as usual here in Scandinavia.
    • by 0x0d0a ( 568518 ) on Monday July 26, 2004 @03:59PM (#9805017) Journal
      Google has a lot of computer scientists and techies, and all they need to do is write a quick regex to match these "banned" searches, slap a 72-hour ban on any IP that's the source of more than, say, 1000 "banned" searches in a day, reply with a static page that says "SOL, your request came from an infected computer, contact your sysadmin" and then start looking for a more fundamental and elegant solution for a long-term fix.

      They'll have this patched over in less than 24 hours, for certain.
  • Oh no (Score:2, Funny)

    by Anonymous Coward
    Now my hotmail account will start getting spammed :(
  • i was wondering (Score:3, Informative)

    by The Other White Boy ( 626206 ) <theotherwhiteboy ... m ['il.' in gap]> on Monday July 26, 2004 @12:52PM (#9802734)
    i was getting errors when trying to search, but people i was talkin to online elsewhere in the country were fine. my whole office was screwin up.

    gmail still works tho, hrm.
  • Ah hah (Score:5, Funny)

    by suso ( 153703 ) on Monday July 26, 2004 @12:52PM (#9802735) Homepage Journal
    I thought I was going nuts, I've never had google give me problems.

    I found it hard to remember the names of other search engines that I could use though.
  • Everything else seems to be ticking ok (news, images, Froogle, etc...)
  • Yup (Score:3, Informative)

    by Anonymous Coward on Monday July 26, 2004 @12:52PM (#9802741)
    I'm getting "
    Server Error
    The service you requested is not available at this time.
    Service error -27
    for all of my search attempts.
  • by ggvaidya ( 747058 ) on Monday July 26, 2004 @12:53PM (#9802763) Homepage Journal
    If MyDoom uses certain search strings, you just dump all such searches? Worse case, just dump any search for anything which looks like an e-mail account?
  • by AKAImBatman ( 238306 ) <> on Monday July 26, 2004 @12:53PM (#9802764) Homepage Journal
    CNN is on behind me, and they've been talking about nothing but Google's IPO. Seems like really bad timing for Google. :-(
  • by Jamori ( 725303 ) on Monday July 26, 2004 @12:53PM (#9802766)
    Google is down ... the world is ending! The beginning of the apocalypse! (I can't even check if I spelled that right without google)
  • by craenor ( 623901 ) on Monday July 26, 2004 @12:54PM (#9802773) Homepage
    Google going down is the first sign of the apocalypse. Now if my wife asks me for sex (the second sign), I'll know the world is going to end...
  • Google key (Score:2, Informative)

    by xenostar ( 746407 )
    To use the Google API you need a key generated by Google, which requires a small registration, so, while of course, if the perpetrator did fill it out, he probably put in fake information, it would still be a good place to start looking.
    • by hrieke ( 126185 )
      Why not (since it's windows programming), create an IE object and have it return the results, this it would appear to Google to be nothing more than just normal traffic?
  • by Quasar1999 ( 520073 ) on Monday July 26, 2004 @12:54PM (#9802781) Journal
    503? screw that... why not have a new error number designated specifically for MS infected systems... error 999: The operating system you are using is insecure and has been exploited... you are partially responsible for bringing this server to its knees... Now go in the corner and think about what you've done.
  • Smart (Score:2, Insightful)

    by TheLinuxSRC ( 683475 )
    Get google hammered with a big ol DOS, then post it to Slashdot where they are sure to get hammered some more!!

  • The fact that Google went down appears to have affected the BBC, given that it was given headline news on the radio. Proof that Google has become a world wide institution(or maybe just where the BBC does some of it's "research" :) )
  • What locations? (Score:5, Informative)

    by ErichTheWebGuy ( 745925 ) on Monday July 26, 2004 @12:55PM (#9802787) Homepage
    is returning 503 errors on all queries submitted from certain locations

    Is that geographic locations, IP blocks, or what? I can use Google just fine at the moment, but have heard of trouble in California (I am in Colorado). TFA gives no details. Anyone have answers?
    • I can search from home (SSH), but not from work (~15 miles away), in NY.
  • D'OH! I went to go search for the cause on Google News [].

    My world is crumbling...
  • Queries blocked (Score:4, Informative)

    by GoRK ( 10018 ) on Monday July 26, 2004 @12:55PM (#9802789) Homepage Journal
    The query that google seems to block in order to work around this problem is a query for "" where "" is pretty much anything.
  • I would think they're planning on spreading a virus payload around by searching Google/Yahoo out, however Virus writers apparently don't think ahead very well. After the search engines implode from a Massive Ddos attack, A) The bots will essentially be dead when they can no longer search for emails and B) With Google and Yahoo dead,the entire Internet will let slip the dogs of war, if I were this virus writer I'd be deeeeeeep underground right about now (preferably six feet under). Maybe the Ddos attack w
  • Google did a search that took longer than 1 second! Good-bye cruel world!

    *jumps out window*
  • by Pirogoeth ( 662083 ) <> on Monday July 26, 2004 @12:56PM (#9802816) Homepage Journal
    ...just use Google's alternate search form []...
  • The wxWidget list serve has been hard hit, and I suspect the same is true for other listserves that also post to newsgroups or other generally accessible format (and don't diguise the email addresses).

    Pretty nasty though so far, just a lot of garbage in the in-box. I suspect that anyone with an email address up on a web-site that recieves a reasonable amount of traffic (so probably ranked reasonably well by google) will also see some mail from this approach.
  • by Rude Turnip ( 49495 ) <valuation&gmail,com> on Monday July 26, 2004 @12:57PM (#9802828)
    OK, so if Microsoft comes out with an antivirus product, what incentive do they have to immunize Windows-based computers against worms that attack their competitors? (i.e. Google vs MSN Search).
  • by Yo Grark ( 465041 ) * on Monday July 26, 2004 @12:58PM (#9802835)
    All Hail My Doom.

    For doing the very thing we always failed at doing.


    Yo Grark
  • Perhaps I'm simply 'located' better, but I can do regular google searches [] just fine.

    But when I ask for "email" it returns a forbidden search page. []

    So it looks like Google is primarily stopping searches that are typical of this virus, but they may also have automated filtering that stops searches which are too many from IPs and netblocks. This part is probably something they implemented long ago.

    But google is going slower for me today, and sometimes it stalls (some of the frontend machines dropping out a bit more frequently than usual?)

    • I've been unable to access any of the google search services since before 9:30 AM this morning. (austin TX)
    • by Warpedcow ( 180300 ) on Monday July 26, 2004 @01:08PM (#9802988) Homepage Journal
      I can't do any searches, and I tried both of the ones you referred to, and they both give this error message. []
    • by RobertB-DC ( 622190 ) * on Monday July 26, 2004 @01:22PM (#9803172) Homepage Journal
      But when I ask for "email" it returns a forbidden search page.

      I got the "forbidden search" error as well. I'm curious what the apparently encrypted string at the bottom of the page contains? The page says to include it in any correspondence to the Head Googlers. If another person runs the search [], will they get a different string? I'd think so -- it probably includes referrer-ID and IP address.

      It starts and ends with a string of "/+" characters that give the Slashdot Lameness Filter fits.
      Notice the text string "taco" about 2/3 of the way through the file. Coincidence?
  • Browser Specific (Score:5, Interesting)

    by nsingapu ( 658028 ) on Monday July 26, 2004 @01:00PM (#9802879) Homepage
    Webmasterworld has an interesting thread [] which details the problems are user agent and locality specific (for me in SoCal IE and Firefox are borked, Konqueror is working, but others report no problem with Mozilla or no problems in certain locals).
  • Apparently it only throws an error when trying to search for an e-mail address (it also looks like they are using at least some degree of intelligence to determine if you are or not)

    The following queries generate the error:

    HOWEVER, the following does *not* generate an error:

    My guess is that they are filtering queries based upon what the virus searches for. Good for them!
  • I'm in Northern Utah.

    From work, I was getting the Google errors. (I tried refreshing to get on a different machine, but no luck.)

    I could VNC (2 blocks away) to home and search just fine though.

    Funny thing is, I got the same type error on didn't seem to be affected.
  • Virus writers, when caught, should have their hands cut off -- or at least a mouse finger. The world just doesn't need this kind of crap going on.
  • <BR>
    Here's he HTML of the error page, for the history books ;) It's such a rare thing and many folks may have never seen it and never will...

    <html><head><title>503 Server Error</title><style><!--body {font-family: arial,sans-serif}div.nav {margin-top: 1ex}div.nav A {font-size: 10pt; font-family: arial,sans-serif}span.nav {font-size: 10pt; font-family: arial,sans-serif; font-weight: bold}div.nav A,span.big {font-size: 12pt; color: #0000cc}div.nav A {font-size: 10pt; c
  • This has the effect of punishing people who keep insecure systems by stopping them from using google. Maybe now, some of these people will pay attention.
    You are never too poor to pay attention. -- Dan Rather, 1984, Boston University Commencement.

  • What a great day for the first- and second-runner up search engines. At least for today, I'm running all of my queries through I guess being less popular proves strangely helpful at a time like this.
  • by Keruo ( 771880 ) on Monday July 26, 2004 @01:04PM (#9802932)
    use mirrors instead: [] [] [] [] []

    all above seem to be responsive atleast to me
  • by Darth Beto ( 800298 ) on Monday July 26, 2004 @01:10PM (#9803008) Homepage
    I'm in Mexico and Google is still not working! It is amazing that we're so tied to Google that we forget the others search engines (in fact when I couldn't search into Google I thought "well I'll wait a couple of minutes" instead of using another search engine like Yahoo!)
  • by ILikeRed ( 141848 ) on Monday July 26, 2004 @01:12PM (#9803030) Journal
    Talk about a boring upcoming Zietgeist...

    Top query in US:

    Top query in UK:

    Browsers used to access Google:
    Internet Explorer ... 41%
    MyDoom ... 54%
    Other ... 05%

    I think they are just trying to keep Mozilla's percentage down.
  • by Junta ( 36770 ) on Monday July 26, 2004 @01:17PM (#9803109)
    has gone to hell.

    My coworkers may realize I really don't know anything if I can't google up answers real soon now...
  • by shrubya ( 570356 ) on Monday July 26, 2004 @01:19PM (#9803137) Homepage Journal
    I can accept ordinary computer illiteracy. People who don't know their mouse has multiple buttons, or who don't know how to quit a program, it's okay. I'm sure they're good at something else. But as long as they aren't complete intentional morons, EVEN ILLITERATES CAN BE TRAINED TO USE COMPUTERS PROPERLY.

    But here we are at MyDoom.N, which is the 14th virus in a series that requires the user to:

    1. receive an infected email
    2. read the email and believe its contents
    3. download the attachment
    4. unzip the attachment, often password protected
    5. run the resulting executable

    After ignoring 13 previous warnings, I must move from sympathy to malice. For the sake of all humanity, I beg the author(s) of the MyDoom series and other viruses, in your next version, please include the following instructions:

    1. locate a nearby table lamp with the light on
    2. remove pants
    3. break the bulb while it is glowing
    4. insert testicles into bulb socket
    If they're dumb enough to get fooled by MyDoom again, they're dumb enough to get themselves out of the gene pool.
  • by TheNarrator ( 200498 ) on Monday July 26, 2004 @01:25PM (#9803208)
    I have a domain that I host mail for, let's call it Every day 24 hours a day I get connections from thousands of different computers all sending mail to,, and any one of a hundred thousand other possible names at that don't exist. These machines that connect to my machine are using the user unknown bounces to send spam to forged return addresses.

    Naturally I put in a script to watch for this, drop the mails and ban the ips but I've been running the thing for a few days and I have 5000 banned ip addresses in my ipchains firewall!!! I am beginning to think that the number of compromised windows machines out there has led to an absolute security CATASTROPHE of science fiction proportions. The machines attacking me, according to ARIN, are located all over the world.

    I'm not really that important or interesting a target, having a measily DSL line but yes I get constant connections from many different computers all over the world all day trying to use me to bounce mail.

    I really think, if people knew how huge the number of compromised windows machines there were out there, people would be embarassed to recommend Microsoft products.
  • by Thagg ( 9904 ) <> on Monday July 26, 2004 @01:37PM (#9803323) Journal
    There have been many reports recently of virus writers attempting to blackmail companies. Having this virus, an obvious DDoS attack on Google, happen the same day that Google announced the price of its IPO shares is just what you would expect if the Google didn't pay the blackmail.

    I don't know how we'll ever be able to test this hypothesis, but I think that something stinks here.

    • Nice theory. Google investors aren't necessarily tech savy people (like on slashdot). They see a problem with a company and they get worried about buying shares in them. But I still can't figure out a way to make money off this. If you were going to short the stock and then pull this off, then you could make some money. Or pull this off and go long and hope things get better.

      I think your idea of blackmail makes more sense though.
  • by aziraphale ( 96251 ) on Monday July 26, 2004 @01:57PM (#9803636)
    ... I do not think it means what you think it means.

    i.e. is an abbreviation for the Latin id est, "that is". It's a synonym for "in other words", "that is to say", or (sort of) "specifically". It does NOT mean "for example", or "such as". For those expressions, you're looking for the Latin abbreviation e.g. - exempli gratia, which means "for example".

    Saying this virus "searches your machine for email domains, i.e.", you're actually saying that it "searches for email domains, in other words". This implies that is the only email domain it searches for (or that you are an idiot, and honestly believe that 'email domains' is synonymous with ''), which makes it seem like a rather pointless search, to say the least.

    I.e./e.g. confusion seems to be increasingly common, which surprises me, because it doesn't seem to me that their meanings are at all similar. It seems rather like confusing the phrases 'In spite of which' and 'since Thursday'. Since Thursday, people still seem to do it.

    If you really can't remember whether you mean i.e. or e.g., then just write out 'for example' or 'in other words' in full... it doesn't take that much longer.
  • by WormholeFiend ( 674934 ) on Monday July 26, 2004 @02:41PM (#9804174)
    I remember that old David Letterman tv joke ad that went something like Dave saying:
    "Imagine what the world would be like without television?"
    [TV static for 5 seconds then Dave comes back on]
    "Scary, wasn't it?"

    Now imagine the world without the Internet... +++NO CARRIER

"My sense of purpose is gone! I have no idea who I AM!" "Oh, my God... You've.. You've turned him into a DEMOCRAT!" -- Doonesbury