Bot Battle Brewing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:34 PM

Bot Battle Brewing

Think the Zotob bot worm sparked a mess? Just wait. Several security firms are warning computer users that a Bagle vs. Netsky-style battle between bots is underway.

Just as the author of the Zotob bot worm was tentatively identified Wednesday as the same individual who wrote some of the Mytob worms, several security firms warned users that a Bagle vs. Netsky-style battle between bots is under way.

"Competing factions seem to be dueling for control of the botnets of PCs in order to perpetrate wider Internet criminal activity," said Alex Shipp, a senior anti-virus technologist at U.K.-based security vendor MessageLabs, in a statement e-mailed to TechWeb. "We may well now see a period of intense malware activity as these groups vie for pole position."

He also claimed that the businesses hit by the attack are only so much "collateral damage in the malware authors' attempts to compromise home computers to generate zombie armies."

Shipp based his bot battle take on the fact that one of the most recent bots that exploits the Windows 2000 Plug and Play vulnerability also takes shots at a rival. The Bozori bot, also dubbed Zotob.f, includes code to disable rival bot worms that may be already in place, including Esbot.a, Zotob.b, and Zotob.d.

That practice is common, said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group, and is used by bot authors to maintain control of the machines they've compromised.

The most notable back-and-forth between hackers was in early 2004, when the writers of the Bagle and Netsky worm families engaged in a long-running tit for tat exchange where each tried to delete the other's code. The battle led to a veritable flood of malicious code that last weeks.

Some see the beginnings of a repeat.

"In the most significant activity we've seen in more than a year, networks have been invaded over the last 72 hours by at least three fast, vicious groups exploiting vulnerabilities," a spokesperson for Computer Associates said in an e-mail.

Unlike in 2004's Bagle vs. Netsky brouhaha, however, the motive isn't notoriety -- the Netsky author, for instance, was a German teenager -- this battle between bot families is driven by pure capitalism, albeit on a criminal scale.

"Gaining access to an extensive network of compromised computers is a valuable asset to criminals, as the worms can allow them to gain control of the computers and use them to send spam, launch an extortion denial-of-service attack against a Web site, steal confidential information, or blast out new versions of malware to other unsuspecting computer users," said Chris Kraft, senior security analyst for Sophos, in a statement.

At least one security analyst, however, doesn't see a criminal conspiracy in the offing, but instead thinks it's just bot business as usual.

"Bots typically include code to automatically disable anti-virus software tools or access to updates, such as Microsoft's Windows Update, or anything else that can detect the bot or take control away from the attacker," said ISS's Ollmann.

"It's a matter of interpretation," he admitted, "but I don't think anyone if actively targeting other botnets. They always take steps to prevent any known bot from working on their compromised machines, so it's more a case of wanting to maintain control that to grab a host on someone else's botnet."

In other Zotob news on Wednesday, MessageLabs said that it had tentatively identified the author of the Zotob variants as a hacker known only as "Diab10," who was responsible for some of the Mytob worms launched this year.

MessageLabs based its Diab10 connection at least in part on the fact that Zotob is very similar to Mytob (which in turn has substantial code from the even-earlier MyDoom).

"[This] could spell the beginning of a period of intense malware activity similar to the Netsky-Bagle wars," said MessageLabs in an e-mailed statement.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll