Viruses Search For Infected Computers

There's an Internet war raging, and the spoils are virus-infected computers.

The Internet has become a cornucopia of riches for hackers and tech-savvy spammers trying to exploit the "backdoor" installed in more than half a million computers infected by last month's MyDoom virus, experts said Thursday. While many of those PCs have been cleansed of the malicious code, tens of thousands of others remain ripe for the picking.

Security firm iDefense Inc. has identified a half dozen separate viruses searching the web for MyDoom-infected computers.

"There are a lot of attackers out there attempting to hijack these computers and take ownership of them," Ken Dunham, director of malicious code for iDefense, said. "There's a flurry of activity in the underground."

The new viruses attempt to enter computers through the same hole created by MyDoom, remove the original virus, close the opening and install their own program allowing a hacker or spammer to commandeer the machine.Among the most prevalent MyDoom hunters is Welchia.B, a variant of a virus released last August that tried to clean up machines infected with the Blaster virus, which was behind one of the most damaging Internet attacks of 2003.

In trying to clean up after Blaster, the original Welchia, also called Nachi, clogged e-mail boxes and slowed networks through its own mass mailing.

Experts disagree over the intent of the author of Welchia.B. Some see the program as a misguided attempt to do good, while others, like Dunham, see evil.

"It's very rare, but sometimes this whole idea of a 'good worm' does come up every few years," Dunham said. "Welchia worms are not a good worm. They definitely do not have any sense of goodwill."

The original virus attempted to exploit a security flaw in Windows at the time, targeting computers in Asia. "This was definitely someone who wanted to gain control over a large number of computers in the Far East," Dunham said.The variant, on the other hand, appears to be making a political statement. The virus contains a document that says "Let history tell future," and then lists dates related to Japan's attack on China before World War II and the dropping of the atomic bomb on Japan by the U.S., ending the war.

"The trend we've seen is that there are more and more attackers making viruses and causing disruption in the name of their countries or the name of their religions," Dunham said. "They appear to be more and more organized and more effective in their attacks, and as a result, we have much to be concerned about in 2004."

Besides the politically minded hacker, MyDoom is suspected of creating a rivalry among spammers.

"You've got all these Mydoom-infected machines out there, and spammers probably want them for themselves," Craig Schmugar, virus research manager for anti-virus software maker Network Associates Technology Inc., said.

Schmugar, however, believes hackers are being more aggressive at commandeering PCs than spammers, for now. "For the most part, it still seems like the hacker community wants to have their own army of machines to use at a later date," Schmugar said.On another front, advertisers have been waging an even dirtier war than virus writers.

"The war is actually much more aggressive and present among the advertising community then it is among the virus authors," Schmugar said.

A fierce battle is underway by advertisers installing "adware" programs along with free software such as file-swapping programs or digital video viewers. Some of these secretly installed programs monitor the PC user's web surfing, while others will display ads inside the software.

Adware programs will often alter other adware to display a competitor's advertising.

"It's not uncommon for one adware program to redirect or alter the installation of another adware program," Schmugar said. "It's really about targeting and attacking a competitor in the ad space."0