The RIAA site has a history of outages related to DDoS attacks (including extended downtime inJuly 2002 and January 2003) and has frequently been defaced.

Antivirus vendor Trend Micro says it has detected more than 23,000 machines infected with MyDoom.F, a sizeable number but far less than its predecessor, MyDoom.A, which launched a DDoS that kept www.sco.com site offline for the first half of February.

Speaking of which, SCO's new url, was offline for several hours last night after several weeks of uneventful uptime. A dynamically updating chart of www.thescogroup.com can be found here.

Nearly a third of the attacks in January used the "@" user authentication syntax to construct disguised URLs in links. A Microsoft security patch released Feb. 2 disabled that capability in the Internet Explorer browser. A smaller number - seven percent of January attacks - exploited an IE flaw that causes the browser to display an incorrect URL in its address and status bars.

Q. You've structured your offerings as multiple hosting brands, with separate identities for ValueWeb, SkyNetWeb, Bigstep, HostSave and WinSave. What have been the benefits and challenges of this approach, as opposed to a unified brand?

A. Quite simply, we have different brands because they target different audiences. Offering multiple brands enables us to speak directly to that audience. What a tech-savvy customer needs from a hosting company is different from what a small business owner with zero technology background may need. Multiple brands allow us to communicate to that audience in a vernacular they understand. Providing the six elements of our value proposition means different things to different kinds of customers - having multiple brands helps us achieve this.

Like its predecessors, MyDoom.F has its own SMTP engine and spreads through e-mail attachments, and is programmed to launch denial of service attacks on web sites. The DDoS component of MyDoom.F targets www.microsoft.com and www.riaa.com (the Recording Industry Association of America)

Widespread awareness of MyDoom-related threats has focused fresh attention on the basics of e-mail security, particularly regarding the opening of attachments. That should work to check the spread of MyDoom.F, as will its more destructive payload, which makes it harder for the malware's activity to go unnoticed for very long on compromised machines.

Changes in domain pricing amongst the largest providers over the past month have been fairly minor. 1&1 Internet now charges $5.88 a year for a .com domain, down from $5.99 as it adjusted to fit its "49 cents a month" web site marketing. Go Daddy returned to $7.95 annually for .com names after a brief hike to $8.95 last month. Go Daddy's most aggressive discounting is for .us and .biz domains, which are currently priced at $4.95 a year.

Hostway has acquired RegistryPro from Register.com, and will be the registrar of .pro domain names when they launch in the second quarter. The deal is subject to approval by the Internet Corporation for Assigned Names and Numbers (ICANN). The financial terms of the acquisition were undisclosed. "We believe lawyers, accountants, doctors and service professionals will be eager to use the .pro domain as a way of identifying and differentiating their professional status," said Lucas Roh, President and CEO of Hostway, which will honor all existing .pro sunrise registrations. The .pro extension is available exclusively for lawyers, accountants and doctors, and bundles a domain name and digital certificate.

A German court intervened, ordering NSI to stop soliciting Strato's domain clients. Strato said it would pursue legal action in the US as well, and alleged that Network Solutions "has begun manipulating data to the disadvantage of STRATO clients. NSI is trying to prevent the legitimate relocation of the domains with newer and ever-changing technical hurdles," Strato said in a press statement.

The latest scam, documented at Codefish Spamwatch, operates via an email with the subject "Police investigation."

The number of hostnames found by the Web Server Survey running Windows Server 2003 overtook NT4 this month. We now find over 1.25M hostnames running on Windows 2003, a 283% increase since August.

Comparing the operating systems with those of September 03 shows the majority of the sites to have migrated from Windows 2000 (534K), but also 55K of the sites to have migrated from Linux, 56K from FreeBSD and 8K from Solaris, with 272K of the hostnames running Win2003 new sites not previously running a different operating system.

Visual spoofing, as outlined by Don Park, uses javascript links to launch a new browser window without scrollbars, menubars, toolbars and the status bar. This coding trick is commonly used to launch pop-up ads. In visual spoofing, these GUI elements are replaced by images, allowing the site creator to substitute a fake status bar containing the URL for a legitimate site, along with an image of a "lock" indicating a secure SSL site. Park has posted a demo of the technique, which works in multiple browsers. End users have the ability to configure their browser to prevent this behavior.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Such scams have multiplied in recent months, with many taking advantage of a bug in Internet Explorer that made it easier for fraudsters to simulate the URLs of target financial institution.

Microsoft issued a patch to repair that problem on Feb. 2. Visual spoofing does not rely on the URL spoofing, relying instead on the fake images to accomplish the deceipt.

However, SCO have not yet put ww.sco.com back into the DNS, perhaps indicating that varients of the virus may be continuing the attack, or perhaps simply that they perceive that the cost/benefit of the site has become unfavourable.

% host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)

SCO took www.sco.com out of the DNS shortly after the attack began Feb. 1, and began using www.thescogroup.com as an alternate site. That URL has also experienced performance problems at first, but has been available in recent days.

A dynamically updating table of the sites affected by the MyDoom DDoS is available here.

"The leak will do some damage to the security of Windows machines, but it's not clear how much," said Ed Felten of Princeton University, a security researcher who has reviewed Windows source code and was an expert witness in the antitrust case against Microsoft. "There's a longstanding debate about the security implications of open source development. Source code access makes it easier to find security bugs. With open source, you make it easier for honest outsiders to find bugs, which is good, but you also make it easier for malicious outsiders to find bugs, which is bad.

"This kind of leak give us the worst of both worlds: honest outsiders will avoid looking at the stolen code, while malicious outsiders use the code; so you get the security drawbacks of open source without the security benefits," Felten added. "This will only matter, though, if the bad guys would otherwise have trouble finding bugs, which may not be the case."

According to eEye, the vulnerabilities include a remote exploit that could allow attackers to gain system privileges, and a denial of service strategy that could "total system failure." Both vulnerabilities were reported Sept. 10, and affect default installations of Windows in use on more than 300 million computers, including Windows NT, Windows 2000, Windows XP and Windows Server 2003. eEye reported an additional high-risk remote exploit on Oct. 8.

The new worm, DoomJuice.B, sets random HTTP headers to make it more difficult to filter the attack traffic, seeking to work around a defensive measure used by Microsoft earlier this week, when www.microsoft.com dropped requests without User-Agent headers to differentiate between Web browsers and the DDoS attack agents. The DoomJuice.B DDoS also initiates twice as many requests as its predecessor, launching 32-192 parallel threads instead of the 16-96 of DoomJuice.A.

A dynamically updating graph is available here, with performance data for all the sites involved in the MyDoom DDoS located here.

This morning at around 9am GMT response times to www.microsoft.com surged, and for a time the site failed to respond. Subsequently, the www.microsoft.com began dropping requests without User-Agent headers, apparently to differentiate between traffic from Web browsers and the DDoS attack agents. Our monitoring requests, which do not normally set a User-Agent, were also dropped. These were changed to supply a user-agent header on requests to www.microsoft.com around 2pm GMT and have since seen mixed results, with relatively normal results from London, but some extended and erratic response times from Atlanta, New York and Texas.

General internet connectivity has not been noticeably impaired with 41 of 52 leading hosting company sites experiencing no failed requests in the last 24 hours.

During January both the INetU and Secure Dog sites were faultless with no failed requests at all from any of our five measurement points.

This is the second month running that INetU's site has had no failed requests at all, and it has now been in the top three for the last four months. As neither INetU or Secure Dog had any failed requests, INetU is ranked above Secure Dog because the average connection time from our performance measurment points to the INetU site was faster.

Third was www.pair.com, a consistently reliable site which was placed fourth for H2 2003. All of the top three sites run on BSD operating systems.

Two European hosting company sites made it in to the top 10. Cable & Wireless and Energis, respectively the second and third largest telcos' in the UK were fifth and tenth. Energis is Netcraft's own connectivity provider, but has no special advantage as none of the measurement points are on the Energis network.

1&1's new American unit added a further 19K hostnames in the run-up to the company's Jan. 22 launch of paid services in the U.S. 1&1 says it signed up more than 200K of the free "test drive" accounts, with about 24K active sites visible thus far.

Go Daddy also had strong growth as its shared hosting business gained traction, while EV1Servers returned to form after two consecutive flat months.

Q. Last year was a huge one for EV1Servers, as your company had a big influx of new customers, rebranded itself, and wrestled with growing pains that tested your infrastructure. What was 2003 like for you?

A. 2003 was the best - and at the same time most difficult - year of my life. Our team made a long list of accomplishments: we began offering first cPanel, then Windows hosting, then domain registration and SSL certificates. We also overcame a lot of challenges. I'm particularly proud that not one customer suffered a single second of outage when a transformer explosion in June cut off our utility power for six days. Most importantly, 2003 made us a better company. We ended the year with a more secure network, a stronger and more experienced team, and a new data center whose first phase will see us through our next 12,000 servers. I think this puts us in a great position to make even more progress in 2004.

Although our measurement points have seen some requests to www.microsoft.com fail today - to put this in context, www.inetu.net, the top ranked hosting company site hasn't had a request fail in over two months - it's been pretty much business as usual for the web site to date, with most response times little different from any other day.

Windows computers infected with MyDoom.B are programmed to begin attacking www.microsoft.com today at 13:09:18 (UTC) and continue through March 1st.

Performance data for the sites involved in the MyDoom DDoS is available here.

Additionally, www2.sco.com has been taken out of the DNS.

% host www2.sco.com
Host www2.sco.com not found: 3(NXDOMAIN)

The latest IE update disallows the use of the "@" character in URLs, addressing a snafu which has helped phishing scammers to disguise the Internet address of a fake Web site. Once the update is installed, including the @ symbol in urls will return an "invalid syntax error" message. Internet scammers have been using @ signs in urls to trick bank customers into revealing their account details.

The latest patch also fixes a cross-domain scripting vulnerability in Internet Explorer, through which a remote attacker could bypass security measures that limit the commands that Web-based code can execute on a user machine. The flaw enables a link containing Javascript code to run commands in the Local Machine Zone with user privileges.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.

Essentially, Microsoft is accepting the significantly higher load on its name servers [outsourced to Akamai] as the premium of an insurance policy in the event that it wants to move www.microsoft.com very quickly.

In this regard Microsoft is being very circumspect towards the potential payload of MyDoom B virus, which anti-virus companies have tended to belittle. Of course, this may simply reflect the fact that Microsoft is directly at risk from the payload, while the anti-virus companies are merely informed bystanders, rather than Microsoft's view of the likely traffic levels being significantly different to the anti-virus companies' expectations.

Our expectation is that Microsoft will defend the payload from its own network, at least initially. If Microsoft does decide to deploy Akamai's http caching, this should not necessarily be read as an admission that its in-house infrastructure could not cope; it is more likely to be motivated by a public spirited desire to keep the traffic off the Internet's main arteries by absorbing the payload as close to the sources of the attacks as possible.

sco.com actually resolves to the same ip address as www.thescogroup.com.

% host sco.com
sco.com has address 216.250.128.21
% host www.thescogroup.com
www.thescogroup.com has address 216.250.128.21
%

Performance data on www.thescogroup.com is available now.

A graph of performance of www2.sco.com has just started appearing. while a comparative table of performance of some of the sites connected with the MyDoom virus is also available. Each is updated every fifteen minutes.

Note that sco.com and caldera.com, which both shared the same ip address as www.sco.com are still down, possibly because of stale DNS caching, or perhaps simply because the machine that ran those sites has been shut down.

% host sco.com
sco.com has address 216.250.128.12
%host www.caldera.com
www.caldera.com has address 216.250.128.12

The most recent Web Server Survey found some 58 hostnames running web sites that resolved to this ip address, and one would presume that SCO is unconcerned about their availability, since it would have been possible to give www.sco.com its own ip address in the prelude to the DDoS.

Plausibly, the hostmaster's plan was set the TTL to 60 seconds to give himself the flexibility of having changes propogate promptly, and then see what the http traffic was like before making a decision to remove the site from the DNS. He has now decided that he has seen enough. SCO may also have been the subject of pressure from ISPs to put a stop to the http traffic.

%host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)
% dig www.sco.com
www.sco.com.                   IN      A
% date
Sun Feb  1 19:29:50 GMT 2004

Generally, conditions on the Internet seem very acceptable at the moment, with few hosting company sites experiencing failed requests . This contrasts markedly with forecasts from Anti-virus companies and this morning's press release from SCO which reported the Internet as being overwhelmed.

That said, the sco.com hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.

% host www.sco.com
www.sco.com has address 216.250.128.12
% dig www.sco.com
www.sco.com.            60      IN      A       216.250.128.12
% telnet www.sco.com http
Trying 216.250.128.12...
Connected to www.sco.com.
Escape character is '^]'.
Connection closed by foreign host.

Contrastingly, www.microsoft.com's performance is as normal. Microsoft has chosen to leave the hostname still resolving to a set of 8 ip addresses in Redmond, rather than point it at Akamai's content distribution network, with their TTL set to just under an hour.

www.microsoft.com.      7       IN      CNAME   www.microsoft.akadns.net.
www.microsoft.akadns.net. 7     IN      CNAME   www2.microsoft.akadns.net.
www2.microsoft.akadns.net. 8    IN      A       207.46.156.252
www2.microsoft.akadns.net. 8    IN      A       207.46.245.92
www2.microsoft.akadns.net. 8    IN      A       207.46.245.156
www2.microsoft.akadns.net. 8    IN      A       207.46.249.252
www2.microsoft.akadns.net. 8    IN      A       207.46.250.222
www2.microsoft.akadns.net. 8    IN      A       207.46.250.252
www2.microsoft.akadns.net. 8    IN      A       207.46.134.221
www2.microsoft.akadns.net. 8    IN      A       207.46.144.188

A graph of the www.sco.com response times, is available while people may also subscribe to receive outage alerts on the sites.

Elsewhere, the Internet looks quite benign with presently just 10 of the fifty hosting company sites monitored by Netcraft showing failed requests during the last 24 hours, and none showing outages.

In the February 2004 survey we received responses from 47,173,415 sites.

The number of responding sites is up by over one million from January; however the percentage share between the different web servers is little changed, with Microsoft's half a percent drop in active sites being the most salient point of interest.