On The Insider: Miley Says No to Nudity

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement
Click Here

Security Watch : Don't get burned by viruses and hackers.
Does a virus gang own the Internet?
E-mail to a friend
Send us feedback
By Robert Vamosi 
Senior associate editor, CNET Reviews
May 10, 2004

After a major virus or worm outbreak like Sasser, I'm frequently asked, "Who are these people?" or, "What are they doing, releasing these viruses?" To answer, I point to Clive Thompson's in-depth article for the New York Times Magazine profiling groups of young virus writers who create viral code for fun and games. It now appears that one gang of virus writers is behind Sasser--and the nearly 30 variations of Netsky we've seen since February.

Like their urban gang counterparts, virus gangs are interested in marking territory on the Internet and showing off their elite skills.
I'm not saying that the specific individuals profiled in Thompson's piece are those responsible for Sasser; still, his article gives some perspective on the underlying mentality. Like their urban gang counterparts, virus gangs are interested in marking territory on the Internet and showing off their elite skills. For example, Skynet, the gang I believe is behind Sasser and Netsky, doesn't use IRC chat rooms to communicate. That would be too easy. Instead, members of Skynet use messages within their own viral creations.

Message in a virus
Programmers often leave plain-text statements within their code. From statements found embedded within recent viruses, we know that there's been a turf battle raging since February between Skynet, the viral authors of Bagle, and the viral authors using the publicly available MyDoom source code. From Netsky.c: "We are the skynet--you can't hide yourself---we kill malware...MyDoom.f is a thief of our idea!" To which the author of MyDoom.g responded: "Hey, NetSky...Don't ruin our business, wanna start a war?" Mostly the messages have been little more than taunts, and these taunts have even extended to antivirus vendors themselves.

To advance their dialogue, the Skynet and Bagle virus gangs have been hammering out competing viral code every couple of days. Thus, both Netsky and Bagle have depleted the 26 letters of the alphabet and are now into double letters, producing variations known as Bagle.aa and Netsky.ac. Most of these variations have been little more than background noise on the Internet, but some, such as Netsky.p, have been very successful, rising to the level of a medium threat.

By piecing together the viral messages, it's possible to get a sense of what's going on behind the virus. Within Netsky.ac: "Hey, av [antivirus] firms, do you know that we have programmed the sasser virus?!? Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet." As proof, the authors supplied a snippet of the Sasser source code. Since the Sasser code isn't available on the Internet, inclusion of the code more or less links the authors of Netsky to Sasser.

Further analysis provided by antivirus researcher Mikko Hipponen of F-Secure also finds programming similarities between Sasser and Netsky. While it's possible two different programmers coded these, the order of the procedure calls and the overall structure of the two programs suggest a common point of origin.

Checkmate!
A complete study of Sasser variations a through d has been published by the security company Lurhq, showing that if the authors of Netsky are responsible for Sasser, there are as many differences as similarities. While Netsky tries to open back doors on infected computers, and these compromised machines are ostensibly sold to spammers to relay their wares, Sasser does no such thing. Sasser isn't malicious; it's much more of an annoyance. So what's its point?

The authors of Sasser have effectively blocked others from creating a major virus or worm that exploits flaws in SSL or ANS.1.
I think the Skynet gang is simply marking territory. Since the Microsoft patch MS04-011 (the recommended remedy for Sasser infections) fixes up to 14 specific vulnerabilities, the authors of Sasser have effectively blocked others from creating a major virus or worm that exploits flaws in SSL or ANS.1, for which exploits already exist. While Sasser doesn't completely rule out someone creating a worm or a virus that exploits those flaws, this worm makes it less likely because the number of patched systems has gone up exponentially since May 1, 2004.

Should we thank Skynet for releasing a relatively benign worm that got everyone to patch their systems in advance of something even worse? No. In my mind, the members of Skynet are still thugs.

By putting a firewall on your desktop, by updating your PC with the latest Microsoft updates, you can prevent Skynet and other viral gangs from claiming bragging rights. By succeeding in getting everyone to secure their PCs, I think Skynet and others will ultimately fail.

Got a security question? Let me hear about it!

Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




5/3/04
You've been warned
Research shows that major computer worms strike roughly 30 days after software patches are released. The clock is ticking on four new patches from Microsoft, but this time, Robert Vamosi says, the worms might not be as successful.

4/26/04
Make your Internet phone safe
Businesses are rushing to adopt VoIP technology, but as with most new technologies, there are several security-related gotchas. Here are some practical solutions you can employ to enjoy your Internet phone service without compromising your security.

4/19/04
Why you should patch Windows today
Usually Robert Vamosi is grousing about Microsoft's bungled attempts to patch its own software, but this time it appears the software giant is actually interested in fixing underlying flaws, not just patching them.

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use