[ILUG] interesting article otherwise known as the smell of napalm in the morning.

fuzzbucket fuzzbucket at eircom.net
Fri Feb 6 00:41:34 GMT 2004 

Kermie wrote:

>  http://news.bbc.co.uk/2/hi/business/3457823.stm
>
>  direct quote
>
>  "There seems little doubt that SCO was targeted - illegally and
>  unacceptably, lest anyone be in any doubt - because it has enraged
>  many people devoted to the Linux operating system."
>
>  Is this fair comment?
>
>  Why could they have been targetted?
>
>  a) - disgruntled employee b) - the law suits c) - random domain name
>  d) - the colour of the sunset on a friday in november e) - the smell
>  of napalm in the morning.
>
>  Of all the various reasons behind it, what is the most likely answer.
>
>
>  and since i am not a lawyer lets attempt logic ;-)
>
>  If one says that <insert random race here> are responsible for
>  certain attacks - thats racism right?
>
>  If one says that <insert random gender here> are responsible for
>  certain attacks - thats sexist right?
>
>  If one says that <insert random philosophy here> are responsible for
>  certain attacks - thats obviously alright.
>
>  Its quite possible that in some countries, and under some conditions,
>  "fair comment" can be mistaken for incitement.
>
>  Ribbit.
>

I read that article this morning - where to begin?
I reckon the DDoS component of the virus was inserted to take attention 
away from the backdoor/trojan component. It looks to be a professional 
job (professional as in for money - nothing to do with ability or 
integrity) and in what appears to be a qualm of conscience the author 
inserted a message into the code reading "I'm just doing my job, nothing 
personal, sorry." (see 
http://www.informationweek.com/story/showArticle.jhtml?articleID=17601394 )
This article mentions the virus being signed "Andy" but it seems more 
likely this Andy is the intended recipient of the message - much 
speculation abounds.
Assuming this is the case it is easy to speculate who commissioned the 
code. An immediate suspect is SCO given their history of gaining press 
columns by claiming malicious attacks against them but looking at the 
backdoor component I would be more inclined to point at spammers - as I 
said the DDoS aspect looks like a decoy, it being the aspect of the 
infection more likely to gain press inches.
I have also seen many people point the finger at the Russian mafia. 
While some exploits have come from that end of organised crime (online 
protection rackets targeted at financial institusions) my guess is that 
the origin would be stateside given the research showing the pure volume 
of spam that originates there and that a common purpose of many of 
todays viruses/trojans is to create mail relays.
Than again, I am probably mistaken - I have a history of that sort of 
thing :)
</slightly drunken response>

More information about the ILUG mailing list