Newest Netsky Worms More Dangerous - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Newest Netsky Worms More Dangerous

The three most recent variants open up back doors to infected machines.

The three most recent Netsky worms are taking a new tack: They open up back doors to infected machines--and that may be an upping of the hacker ante or a sign that new attackers are using the Netsky source code to write even more destructive malware, security analysts said Thursday.

Netsky.s, Netsky.t, and Netsky.u, which first appeared on the Internet this past weekend, on Monday, and on Wednesday, respectively, all share one characteristic that separates them from the previous 18 variations: They install a backdoor component that leaves open TCP port 6789.

Back doors are dangerous because they allow the original hacker, or other attackers, to scan for the open port--and when found, plant arbitrary code on the compromised machine, including key loggers to steal passwords or new variations of a worm, or turn the system into a spam-spewing engine.

"There are tens of thousands of computers that have some sort of backdoor open, both inside corporate networks and on home machines," said Vincent Gullotto, VP of Network Associates' Avert research team. In a worst-case scenario, he added, open ports can be used to insert worms that don't require any action on the part of the end-user, but exploit system software vulnerabilities to run code.

"That's when a worm can really take off," he said.

Both Gullotto and Patrick Hinijosa, chief technology officer at Panda Software, confirmed that the three Netskys were the first in that line to drop a back-door component into infected systems.

The writers of these newest Netskys could be adding to the worm's arsenal, or an entirely different group could be using the Netsky source code to write new variations, both analysts said. Netsky's source code was released by the original authors, and is available to hackers at a variety of Web sites.

"This seems more typical of Bagle," said Gullotto, noting that the Bagle worms have all implanted a back door on infected machines. "This could be the Bagle guys grabbing the [Netsky] source code and writing something of their own."

Hinijosa agreed. "This is a pretty radical change in characteristic" from earlier Netskys, he said. "It doesn't fit their pattern and goes against their stated tactic of eliminating other viruses."

It's certainly possible, Hinijosa added, that another hacker, or hackers, saw the successful spreading of Netsky and piggybacked their own efforts onto the source code. "They look at Netsky and think, 'here's a proven vehicle, why re-invent the wheel,'" Hinijosa said.

However, a text message embedded within the code of Netsky.t claims that the new worm and its backdoor component were created by the original Skynet group of hackers.

According to analysis done by security firm Trend Micro, the text reads: "Now we have programmed our back door, it cannot be used for spam relaying, only for Skynet distribution."

Analysts warned that such text can't be taken at face value, and is ambiguous at best. "Distribution" could mean, for instance, the planting of additional worms.

In other Netsky news Thursday, it appeared that the first of its denial-of-service attacks, launched by Netsky.q--a worm that hit the Internet on March 28--was more fizzle than sizzle.

Netsky.q took its first denial-of-service shots Thursday when it began hitting five Web sites, including peer-to-peer file-sharing sites,, and Most weathered the storm and were up and running as of midday.

Those sites, along with two dedicated to "cracks"--llegal patches to break commercial software copy protection schemes--were targeted by Netsky.q, the first worm in that line that added denial-of-service attacks to it bag of malicious tricks.

Although some of the sites were unavailable for a time--late Wednesday, switched to a mirror site at impact of Netsky.q seemed to be short-lived.

But these sites' problems aren't at an end. Netsky.q's denial-of-service attack runs through Sunday, and later Netsky variations also include denial-of-service components--in some cases with slightly different lists and with different start and end dates. The most recent Netsky, dubbed Netsky.u, for example, will attempt a denial-of-service attack on,,,, and between April 14 and April 23.

Earlier this year, the MyDoom worm successfully knocked SCO Group's Web site off the air with a widespread denial-of-service attack. Other sites that have been the target of similar assaults include those belonging to Microsoft and the Recording Industry Association of America, which has been aggressively hunting down high-volume music file sharers.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll