It's a busy time for computer viruses and worms. Over the last three weeks, we've seen nearly two-dozen variations of Bagle, Netsky, and MyDoom circulate the Net. What gives? It looks like gang warfare is responsible--drive-by shootings on the information highway.
Script kiddies
You heard me right. "Gangs" of virus writers are currently trying to outdo one another and protect their turf. What they're fighting for is control of thousands of Trojan horses that create stealth peer-to-peer networks out of virus-infected computers worldwide. Such networks can be used to launch next-generation computer viruses or distributed denial-of-service attacks. They can also be sold to spammers who use them to anonymously send messages to our in-boxes. Because of all their uses, virus writers consider these networks worth fighting for.
'Gangs' of virus writers are currently trying to outdo one another and protect their turf.
|  |
|
Unfortunately, you and I aren't just bystanders; we're the targets. And the only solution I can offer is what I've been saying for years: Update your antivirus software and don't open unsolicited e-mail messages. I wish there were a magic fix I could offer that would inoculate us all from these viruses, but unfortunately, there isn't. These infections aren't even very original. They use good old-fashioned social engineering, not a software flaw, to spread.
There appear to be three distinct gangs: the MyDoomers, who are using source code from the MyDoom.b worm to set up stealth networks; the Bagles, who wrote their own unique viral code to establish the same sorts of networks; and the Netskys, who seem to have started the whole imbroglio by thwarting the plans laid down by MyDoom and Bagle.
An online street fight
The fight seems to have broken out on February 18, when Netsky.b appeared on the Net and began removing traces of MyDoom and Bagle from infected computers. Netsky.b removed not only the viral code, but also the Trojan horse
back doors. These are the tunnels of communication that allow the MyDoom and Bagle gangs to communicate with infected systems and thus set up the valuable peer-to-peer networks. Needless to say, the authors of the Bagle and MyDoom variants took offense--as Netsky spread, their networks began to shrink in size, and thus their ability to do harm online diminished.
One week later, on February 25, the Netsky.c variant appeared a hidden message embedded in the code: "We are the skynet--you can't hide yourself---we kill malware...MyDoom.f is a thief of our idea!" (Such messages are known as
greetz.) A few days later, Bagle.j and MyDoom.g responded: "Hey, NetSky...Don't ruin our business, wanna start a war?" and "To NetSky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. We have seen P2P in Slapper in Sinit only. They may be called skynets, but not your...app." (Slapper is a Linux worm that established its own P2P network starting in August 2002; Sinit is a common Trojan horse that also established its own P2P network, starting in October 2003.)
Greetz are not new; often they are directed at rival Internet gangs or antivirus researchers. In December of 2001, rival members of Israeli
script kiddie gangs unwittingly released the Goner virus. In that case, the virus (which they called Pentagone) contained greetz with Internet nicknames of the authors: "Pentagone coded by: suid, tested by: ThE_SkuLL and Isatanl." Originally, the authors named in the greetz denied their involvement; shortly thereafter, however, they took credit for the virus when the news media started saying the code was cut and pasted from elsewhere. A short time later, the Israeli youths were arrested and sentenced to two and a half years in jail.
Also, the
recently arrested Belgium virus writer Gigabyte is famous for using greetz to taunt antivirus researchers, namely Graham Cluley of Sophos Antivirus.
Social engineering viruses
Most of the viruses that have appeared over the last few weeks rate a 6 on our 10-point
Virus Meter, meaning we consider them moderate threats. As of last Friday, only Netsky.d was spreading quickly, infecting 1 of every 19 e-mail messages; this is very close to the infection rate of the original MyDoom, which spread at a rate of 1 of every 12 messages in mid-January.
|
The viruses' success, in the end, is due to their social engineering.
| |
|
Despite some interesting programming nuances, such as requiring a password to unlock the ZIP file attachment in the e-mail, these variants introduce only minor changes to the original code--just enough to fool the signature files that your antivirus software uses to recognize and stop them. So far, two antivirus companies, Kaspersky and BitDefender, have added
the capability to decode the password-protected ZIP attachments in infected e-mail, but I expect all antivirus companies will adopt this strategy soon.
The viruses' success, in the end, is due to their social engineering. They spread because human beings--hopefully not you--open the files attached to the e-mail messages they're sent in. As a result, many corporations are now blocking all ZIP file attachments, which is surely impacting worker productivity. But until
every desktop has up-to-date antivirus technology, and until every user stops opening unsolicited e-mail attachments, viruses such as these will continue to afflict us.
How do you think we can stop viruses? Tell me about it--TalkBack to me!
