informa
/
4 min read
article

Worm Wars

The onslaught of new infections continues, but the new malware contains nasty messages aimed at other hacker factions.
The worm blitz that started last Friday and showed no signs of ceasing Wednesday stepped up a notch as security analysts probing the code of recent malware discovered an obscenity-laced dialog between battling hacker factions.

According to analysis done by several antivirus companies, including Central Command, Sophos, and Finnish-based F-Secure, profanity-plagued messages between the creators of the latest Netsky, Bagle, and MyDoom variations are embedded in the worms' code.

Inside Bagle.j, the eighth variant to debut since Friday, and which first showed up Tuesday, is text taunting Netsky. Within Bagle.k, a new variant that appeared Wednesday, is similar text, said Sophos. Netsky.f, another worm discovered Wednesday, sports a retort, according to analysis by F-Secure. Tucked inside its code is the line "Skynet AntiVirus--Bagle--you are a looser!!!"

Even the MyDoom worm family got into the act; within MyDoom.g--a close copy of the original MyDoom loosed on the Internet late Tuesday--is an attack on Netsky's creators.

Calling the back-and-forth the first major global "cyber war" between hackers, security firm Central Command noted that the person or persons responsible for each of the three worm families involved--Bagle, Netsky, and now MyDoom--are battling for control of a huge army of Windows computers that have been compromised by infections, which have opened ports and installed backdoor components on the systems.

"It appears to be a war over power and seniority among these authors," Steven Sundermeier, Central Command's VP of products and services, said in a statement.

Other security firms, including Sophos, have used the word "war" to define what's going on. "Clearly the author of the Bagle worms is unimpressed that Netsky is stealing some of the limelight and most of the headlines," said Graham Cluley, a senior technology consultant for the U.K.-based Sophos.

Part of the motivation for the name calling may be the fact that some editions of Netsky, particularly Netsky.d, seek out and destroy some editions of the Bagle worm it finds on infected systems.

The ultimate losers of any hacker catfight are users, said Vincent Gullotto, VP of McAfee's Avert virus research team. "It's the end user, it's the Internet that suffers," he said. While some mail servers have been temporarily clogged, the Web as a whole hasn't been affected by any performance degradation with the millions of worm-laden messages shunting back and forth. But both business users and consumer can have fits trying to stay updated against such fast-developing, high-volume threats.

"In my seven years, I've seen this back-and-forth once or twice or three times, but nothing to this extent," said Gullotto. "There's new variant after new variant, two and three times a day in some cases."

In the last 24 hours, a quartet of new worms or variations on older editions have been spotted by McAfee, said Gullotto, including MyDoom.g, Netsky.f, Bagle.k, and Hiton. McAfee ranks them all as a "low" threat, while rival Symantec tagged all four with a "2" in its 1-to-5 scale.

The most persistent, and prevalent, of the worms released since Friday remains Netsky.d, which first appeared Monday.

MessageLabs, a U.K.-based firm that filters mail for enterprise customers worldwide, said Wednesday that Netsky.d has recently surged in its spread, and now accounts for one in every 19 E-mails.

"Although Netsky.d was fairly quiet in the first 24 and 48 hours--a slow burner, so to speak--we've seen a jump in the last 12 hours," said Natasha Staley, an information security analyst with MessageLabs.

Of the more than 1.5 million copies of the worm that MessageLabs has intercepted since Monday, said Staley, 700,000 were nabbed in a half-day.

"At the moment, Netsky.d isn't that far off MyDoom.a in its prevalence," said Staley, noting that at its peak, MyDoom.a accounted for one in every 12 E-mails that reached her company's filters.