For several years,
virus writers have known they can compromise vast, worldwide networks of computers. By writing code that opens an obscure port on an infected computer, a virus writer could later come along and take control of that compromised computer. Calling a few thousand computers your own is itself a pretty powerful ego trip. However, most virus writers use these networks to launch the next variation of their viruses. The more computers they can infect in a short amount of time, the bigger their viruses' impact on the Internet overall. This might explain why later variations of a virus such as Netsky have been as successful as the earlier versions. (In the past, virus derivatives never matched the original.)
Calling a few thousand computers your own is itself a pretty powerful ego trip.
Another use of a viral network is to enlist the infected computers in a distributed denial-of-service attack on a single Web target. For a while, these attacks were used in harmless turf battles between virus-writing gangs
. Earlier this year, however, the MyDoom virus used its network to shut down SCO Linux's Web site, and later versions of Netsky shut down access to file-sharing sites such as eMule and eDonkey.
Putting a price on a viral network
But wait, it gets worse. Once upon a time, the only way spam operators spread their junk mail was by opening an e-mail account, queuing up a few thousand e-mail messages, then moving on. But Internet service providers got savvy to this practice, and now they look for abnormal spikes in outbound mail traffic, then immediately block or shut down spam-sending accounts.
So the spammers had to get even savvier. With last summer's Sobig virus, it became clear that someone was building viral networks to relay spam messages.
Viruses are moving targets, so as one system is disinfected or blocked, another system becomes infected.
By using open proxies on virus-compromised Windows computers, a spam operator, who may be on some ISP's block list, sends direct marketing e-mail via someone else's compromised PC. Doesn't matter if the infected PC's ISP shuts them down; there are thousands of other PCs relaying the same spam. Viruses are moving targets, so as one system is disinfected or blocked, another system becomes infected.
To illustrate that point, the Sobig virus self-terminated every two weeks or so, allowing the virus writer to sell his or her list of currently infected PCs, then, after the virus expired, author another version, infecting different PCs, and sell that list at a later date. As individual PCs on a given virus network keep changing, the effort to identify and stop spam operators gets much harder.
Yet this open proxy method isn't perfect. To work, the spam operator still contacts each and every infected PC in the virus network. This requires bandwidth, almost as much as if the operator were using a single account to send the spam.
The self-contained spam factory method
Enter the Bobax worm. Security company Lurhq describes Bobax as a self-propagating Trojan horse and a self-contained spam factory. The worm carries with it a template and a list of e-mail addresses, so it's able to create spam on the fly.
This evolution suggests that the virus writers and the spam operators are working closely. No longer is a rogue virus writer selling his or her networks of infected computers created by off-the-shelf viruses and worms to spammers. Now, the spammers are ordering up custom-designed viruses and worms. Perhaps the virus writers are employees, working solely for the spam operators.
Fortunately, Bobax is a low threat, discovered in part because last week the SANS Institute reported a sharp increase in traffic on port 5000, which Windows enables for Universal Plug and Play purposes. Bobax uses port 5000 to search for Windows XP computers that are still vulnerable to the LSASS vulnerability, the same vulnerability the Sasser worm uses. Spammers don't seem to care that millions of vulnerable XP machines have been already been patched; it's the missing one million or so that haven't that they're after.
So as long as someone's paying for these new viruses and worms, we're going to see more worms like Bobax. There is, fortunately, still a way to thwart their efforts. If you haven't already done so within the last month, visit windowsupdate.microsoft.com right now and download the latest patches and updates to your Windows PC. And, if you don't yet have a personal firewall, I still recommend ZoneAlarm, which not only works well, but is free.
Got a security question? Let me hear about it!