Three Different Hackers Behind Week's Attacks

Three authors, or three groups of hackers, launched three separate attacks this week on vulnerable Windows 2000 machines, analysis released Friday by Panda Software showed.

The research gives credence to the idea that a bot battle is being fought over compromised machines.

Panda graphed the first seven bots discovered this week -- Zotob.a through Zotob.d, and IRCbot.kc, IRCbot.jz, and IRCbot.kd -- to shows the processes carried out by each. That, said Panda, represents a 'fingerprint' or 'genetic signature' of each bot.

"This gives a graphic idea of the make-up and complexity of each one and the relationship they could have with other variants,' said Panda in a statement.

By comparing the graphs, Panda determined that although Zotob.a, Zotob.b, and Zotob.c were almost identical, they were quite different from the others. Of the four remaining, Zotob.d and IRCbot.jz showed a high degree of correlation -- 0.79, where 1.0 is an exact match -- while IRCbot.kc and IRCbot.kd formed the third group.

"Although the functionality achieved is largely the same, the source code of the different families is very different," Panda concluded.

However, said Panda, it's possible that the three hackers or groups of hackers began at the same starting point, the proof-of-concept code that was found circulating in the underground as earlier as last Friday, August 12.

"The fact that they are all developing in the same direction could be that they are all built on the same base code."