Bot Battle Brewing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:34 PM

Bot Battle Brewing

Think the Zotob bot worm sparked a mess? Just wait. Several security firms are warning computer users that a Bagle vs. Netsky-style battle between bots is underway.

Just as the author of the Zotob bot worm was tentatively identified Wednesday as the same individual who wrote some of the Mytob worms, several security firms warned users that a Bagle vs. Netsky-style battle between bots is under way.

"Competing factions seem to be dueling for control of the botnets of PCs in order to perpetrate wider Internet criminal activity," said Alex Shipp, a senior anti-virus technologist at U.K.-based security vendor MessageLabs, in a statement e-mailed to TechWeb. "We may well now see a period of intense malware activity as these groups vie for pole position."

He also claimed that the businesses hit by the attack are only so much "collateral damage in the malware authors' attempts to compromise home computers to generate zombie armies."

Shipp based his bot battle take on the fact that one of the most recent bots that exploits the Windows 2000 Plug and Play vulnerability also takes shots at a rival. The Bozori bot, also dubbed Zotob.f, includes code to disable rival bot worms that may be already in place, including Esbot.a, Zotob.b, and Zotob.d.

That practice is common, said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group, and is used by bot authors to maintain control of the machines they've compromised.

The most notable back-and-forth between hackers was in early 2004, when the writers of the Bagle and Netsky worm families engaged in a long-running tit for tat exchange where each tried to delete the other's code. The battle led to a veritable flood of malicious code that last weeks.

Some see the beginnings of a repeat.

"In the most significant activity we've seen in more than a year, networks have been invaded over the last 72 hours by at least three fast, vicious groups exploiting vulnerabilities," a spokesperson for Computer Associates said in an e-mail.

Unlike in 2004's Bagle vs. Netsky brouhaha, however, the motive isn't notoriety -- the Netsky author, for instance, was a German teenager -- this battle between bot families is driven by pure capitalism, albeit on a criminal scale.

"Gaining access to an extensive network of compromised computers is a valuable asset to criminals, as the worms can allow them to gain control of the computers and use them to send spam, launch an extortion denial-of-service attack against a Web site, steal confidential information, or blast out new versions of malware to other unsuspecting computer users," said Chris Kraft, senior security analyst for Sophos, in a statement.

At least one security analyst, however, doesn't see a criminal conspiracy in the offing, but instead thinks it's just bot business as usual.

"Bots typically include code to automatically disable anti-virus software tools or access to updates, such as Microsoft's Windows Update, or anything else that can detect the bot or take control away from the attacker," said ISS's Ollmann.

"It's a matter of interpretation," he admitted, "but I don't think anyone if actively targeting other botnets. They always take steps to prevent any known bot from working on their compromised machines, so it's more a case of wanting to maintain control that to grab a host on someone else's botnet."

In other Zotob news on Wednesday, MessageLabs said that it had tentatively identified the author of the Zotob variants as a hacker known only as "Diab10," who was responsible for some of the Mytob worms launched this year.

MessageLabs based its Diab10 connection at least in part on the fact that Zotob is very similar to Mytob (which in turn has substantial code from the even-earlier MyDoom).

"[This] could spell the beginning of a period of intense malware activity similar to the Netsky-Bagle wars," said MessageLabs in an e-mailed statement.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
Register for InformationWeek Newsletters
Current Issue
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll