X
Tech

NetSky onslaught: Four sites down, one to go

All but one of the five Web sites targeted by the worm's denial-of-service attack have been knocked over or had to change their Web address to remain accessible.
Written by Munir Kotadia, Contributor
The main Web site of file-sharing network eDonkey has been knocked offline following an attack from NetSky, but Kazaa has survived--so far.

Earlier this week, the Kazaa and eDonkey sites, as well as three other file-sharing sites, were bracing for a distributed denial-of-service (DDoS) attack expected to be launched by variants of the NetSky worm. NetSky.Q, which first appeared March 29, is designed to attack certain Web sites that distribute file-sharing clients, as well as sites that distribute hacking and cracking tools. Kazaa and eDonkey are the worm's best-known targets. The attack is scheduled to last at least six days.

However, because the worm only attacks the main eDonkey site, the service is still accessible at another eDonkey address.

Another target, eMule, has also experienced severe disruption and in preparation has mirrored its site to another address. At the time of this writing, one of the Crack Web sites, www.cracks.am, was unavailable, and another, www.crack.st, had been unavailable earlier. Kazaa's Web site seems to be the only one of Netsky's targets to have survived the first day of the attack unscathed.

Mikko Hypponen, director of antivirus research at F-Secure, said that even though the eDonkey and eMule Project sites are online, most people will not be able to find them because the sites are not accessible through their main Web address.

"Most people that have bookmarked eDonkey and eMule Project, or if they search for them on Google, will be directed to the 'www' site, which fails," he said. "If you surf to a Web site and it fails, how many times do you try it again without the www?"

Hypponen said NetSky's authors seem to have learned a lesson from the mistakes made by the author of the MSBlast worm, also known as Blaster, which last summer launched a massive DDoS attack on Microsoft's Windows Update Web site. However, unlike NetSky, Blaster attacked the lesser-used Web address.

"Blaster was stupid--it attacked the Web site that most people would not use," he said. "It only attacked http://windowsupdate.com, not www.windowsupdate.com. NetSky is attacking the address that most people would surf to."

Munir Kotadia of ZDNet UK reported from London.

Editorial standards