'

Netsky attacks: Four sites down, one to go

Four out of the five Web sites targeted by a Netsky worm DDoS attack have either been knocked over, or had to change their Web address to remain accessible

File-sharing network eDonkey's main Web site has been knocked offline following an attack from Netsky, but Kazaa has survived -- so far

Earlier this week, file-sharing Web sites Kazaa and eDonkey and three other Web sites were bracing themselves for a distributed denial of service (DDoS) attack launched by variants of the Netsky worm. Netsky.Q, which first appeared on 29 March, is designed to attack certain Web sites that distribute either file-sharing clients or hacking and cracking tools. Kazaa and eDonkey are its best-known targets and the attack is scheduled to last for at least six days.

However, because the worm only attacks the main www.edonkey2000.com address, it is still accessible by visiting http://edonkey2000.com. Another target, www.emule-project.net, has also experienced severe disruption and in preparation has mirrored its site to www.emule-project.org. At the time of writing, both www.cracks.st and www.cracks.am were unavailable. Kazaa's Web site seems to be the only one of Netsky's targets to have survived the first day of the attack unscathed.

Mikko Hyppönen, director of antivirus research at F-Secure, said that even though the eDonkey and emule-project sites are online, because they are not accessible through their main Web address, most people will not be able to find them: "Most people that have bookmarked eDonkey and emule-project, or if they search for them on Google, will be directed to the "www" site, which fails. If you surf to a Web site and it fails, how many times do you try it again without the www?" he said.

Hyppönen said Netsky's authors seemed to have learnt a lesson from the mistakes made by the author of the Blaster worm, which last summer launched a massive DDoS attack on Microsoft's Windows Update Web site. However, unlike Netsky, Blaster attacked the lesser-used Web address: "Blaster was stupid -- it attacked the Web site that most people would not use. It only attacked http://windowsupdate.com, not www.windowsupdate.com. Netsky is attacking the address that most people would surf to," he said.