This Year's VIRUS GANG WAR

[Alpha]

By Robert Vamosi

Senior associate editor, CNET Reviews

March 10, 2004

 

It's a busy time for computer viruses and worms. Over the last three weeks, we've seen nearly two-dozen variations of Bagle, Netsky, and MyDoom circulate the Net. What gives? It looks like gang warfare is responsible--drive-by shootings on the information highway.

 

Script kiddies

You heard me right. "Gangs" of virus writers are currently trying to outdo one another and protect their turf. What they're fighting for is control of thousands of Trojan horses that create stealth peer-to-peer networks out of virus-infected computers worldwide. Such networks can be used to launch next-generation computer viruses or distributed denial-of-service attacks. They can also be sold to spammers who use them to anonymously send messages to our in-boxes. Because of all their uses, virus writers consider these networks worth fighting for.

 

'Gangs' of virus writers are currently trying to outdo one another and protect their turf. 

Unfortunately, you and I aren't just bystanders; we're the targets. And the only solution I can offer is what I've been saying for years: Update your antivirus software and don't open unsolicited e-mail messages. I wish there were a magic fix I could offer that would inoculate us all from these viruses, but unfortunately, there isn't. These infections aren't even very original. They use good old-fashioned social engineering, not a software flaw, to spread.

 

There appear to be three distinct gangs: the MyDoomers, who are using source code from the MyDoom.b worm to set up stealth networks; the Bagles, who wrote their own unique viral code to establish the same sorts of networks; and the Netskys, who seem to have started the whole imbroglio by thwarting the plans laid down by MyDoom and Bagle.

 

An online street fight

The fight seems to have broken out on February 18, when Netsky.b appeared on the Net and began removing traces of MyDoom and Bagle from infected computers. Netsky.b removed not only the viral code, but also the Trojan horse back doors. These are the tunnels of communication that allow the MyDoom and Bagle gangs to communicate with infected systems and thus set up the valuable peer-to-peer networks. Needless to say, the authors of the Bagle and MyDoom variants took offense--as Netsky spread, their networks began to shrink in size, and thus their ability to do harm online diminished.

 

One week later, on February 25, the Netsky.c variant appeared a hidden message embedded in the code: "We are the skynet--you can't hide yourself---we kill malware...MyDoom.f is a thief of our idea!" (Such messages are known as greetz.) A few days later, Bagle.j and MyDoom.g responded: "Hey, NetSky...Don't ruin our business, wanna start a war?" and "To NetSky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. We have seen P2P in Slapper in Sinit only. They may be called skynets, but not your...app." (Slapper is a Linux worm that established its own P2P network starting in August 2002; Sinit is a common Trojan horse that also established its own P2P network, starting in October 2003.)

 

Greetz are not new; often they are directed at rival Internet gangs or antivirus researchers. In December of 2001, rival members of Israeli script kiddie gangs unwittingly released the Goner virus. In that case, the virus (which they called Pentagone) contained greetz with Internet nicknames of the authors: "Pentagone coded by: suid, tested by: ThE_SkuLL and Isatanl." Originally, the authors named in the greetz denied their involvement; shortly thereafter, however, they took credit for the virus when the news media started saying the code was cut and pasted from elsewhere. A short time later, the Israeli youths were arrested and sentenced to two and a half years in jail.

 

Also, the recently arrested Belgium virus writer Gigabyte is famous for using greetz to taunt antivirus researchers, namely Graham Cluley of Sophos Antivirus.

 

Social engineering viruses

Most of the viruses that have appeared over the last few weeks rate a 6 on our 10-point Virus Meter, meaning we consider them moderate threats. As of last Friday, only Netsky.d was spreading quickly, infecting 1 of every 19 e-mail messages; this is very close to the infection rate of the original MyDoom, which spread at a rate of 1 of every 12 messages in mid-January.

 

The viruses' success, in the end, is due to their social engineering. 

Despite some interesting programming nuances, such as requiring a password to unlock the ZIP file attachment in the e-mail, these variants introduce only minor changes to the original code--just enough to fool the signature files that your antivirus software uses to recognize and stop them. So far, two antivirus companies, Kaspersky and BitDefender, have added the capability to decode the password-protected ZIP attachments in infected e-mail, but I expect all antivirus companies will adopt this strategy soon.

 

The viruses' success, in the end, is due to their social engineering. They spread because human beings--hopefully not you--open the files attached to the e-mail messages they're sent in. As a result, many corporations are now blocking all ZIP file attachments, which is surely impacting worker productivity. But until every desktop has up-to-date antivirus technology, and until every user stops opening unsolicited e-mail attachments, viruses such as these will continue to afflict us.

 

Credits: http://CNET.com

 

==========================

I get probabally a day, 10 viruses in my emails..luckily I have a good spam assassinator. I have even had a recent case of someone using the following email: staff@1emulation.tk as a return address for sending the newest trojans. I'm getting quite sick of it and I'll be canceling that email soon from this site and our others.

[Diso]

xxl causing probs perhaps?

 

i get not many viruses in my email

[Alpha]

xxl causing probs perhaps?

 

i get not many viruses in my email

I seriously doubt it's him, he doesn't no crap about this kind of stuff. These were pro's since they were exactly like the other virus emails I get like the email's I get from my Yahoo accounts in my Bulk Folder (the best feature to grace mankind). I don't think though our email was used that much or for that many emails. I'm guessing maybe 20-40 in all max, most likely 10-15. I found out from all of the MAIL UNDELIVERY emails that were relaying back to me from the people who sent the viruses with that email. I just still had to report it since some people are going to go to the site from the FROM Address if they are effected which is us.