Netsky.s, Netsky.t, and Netsky.u, which first appeared on the Internet this past weekend, on Monday, and on Wednesday, respectively, all share one characteristic that separates them from the previous 18 variations: They install a backdoor component that leaves open TCP port 6789.
Back doors are dangerous because they allow the original hacker, or other attackers, to scan for the open port--and when found, plant arbitrary code on the compromised machine, including key loggers to steal passwords or new variations of a worm, or turn the system into a spam-spewing engine.
"There are tens of thousands of computers that have some sort of backdoor open, both inside corporate networks and on home machines," said Vincent Gullotto, VP of Network Associates' Avert research team. In a worst-case scenario, he added, open ports can be used to insert worms that don't require any action on the part of the end-user, but exploit system software vulnerabilities to run code.
"That's when a worm can really take off," he said.
Both Gullotto and Patrick Hinijosa, chief technology officer at Panda Software, confirmed that the three Netskys were the first in that line to drop a back-door component into infected systems.
The writers of these newest Netskys could be adding to the worm's arsenal, or an entirely different group could be using the Netsky source code to write new variations, both analysts said. Netsky's source code was released by the original authors, and is available to hackers at a variety of Web sites.
"This seems more typical of Bagle," said Gullotto, noting that the Bagle worms have all implanted a back door on infected machines. "This could be the Bagle guys grabbing the [Netsky] source code and writing something of their own."
Hinijosa agreed. "This is a pretty radical change in characteristic" from earlier Netskys, he said. "It doesn't fit their pattern and goes against their stated tactic of eliminating other viruses."
It's certainly possible, Hinijosa added, that another hacker, or hackers, saw the successful spreading of Netsky and piggybacked their own efforts onto the source code. "They look at Netsky and think, 'here's a proven vehicle, why re-invent the wheel,'" Hinijosa said.
However, a text message embedded within the code of Netsky.t claims that the new worm and its backdoor component were created by the original Skynet group of hackers.
According to analysis done by security firm Trend Micro, the text reads: "Now we have programmed our back door, it cannot be used for spam relaying, only for Skynet distribution."
Analysts warned that such text can't be taken at face value, and is ambiguous at best. "Distribution" could mean, for instance, the planting of additional worms.
In other Netsky news Thursday, it appeared that the first of its denial-of-service attacks, launched by Netsky.q--a worm that hit the Internet on March 28--was more fizzle than sizzle.
Netsky.q took its first denial-of-service shots Thursday when it began hitting five Web sites, including peer-to-peer file-sharing sites Kazaa.com, E-mule-project.net, and Edonkey2000.com. Most weathered the storm and were up and running as of midday.
Those sites, along with two dedicated to "cracks"--llegal patches to break commercial software copy protection schemes--were targeted by Netsky.q, the first worm in that line that added denial-of-service attacks to it bag of malicious tricks.
Although some of the sites were unavailable for a time--late Wednesday, Emule-project.net switched to a mirror site at emule-project.org--the impact of Netsky.q seemed to be short-lived.
But these sites' problems aren't at an end. Netsky.q's denial-of-service attack runs through Sunday, and later Netsky variations also include denial-of-service components--in some cases with slightly different lists and with different start and end dates. The most recent Netsky, dubbed Netsky.u, for example, will attempt a denial-of-service attack on cracks.am, emule.de, kazaa.com, freemule.net, and keygen.us between April 14 and April 23.
Earlier this year, the MyDoom worm successfully knocked SCO Group's Web site off the air with a widespread denial-of-service attack. Other sites that have been the target of similar assaults include those belonging to Microsoft and the Recording Industry Association of America, which has been aggressively hunting down high-volume music file sharers.