Bot Battle Brewing

Just as the author of the Zotob bot worm was tentatively identified Wednesday as the same individual who wrote some of the Mytob worms, several security firms warned users that a Bagle vs. Netsky-style battle between bots is under way.

"Competing factions seem to be dueling for control of the botnets of PCs in order to perpetrate wider Internet criminal activity," said Alex Shipp, a senior anti-virus technologist at U.K.-based security vendor MessageLabs, in a statement e-mailed to TechWeb. "We may well now see a period of intense malware activity as these groups vie for pole position."

He also claimed that the businesses hit by the attack are only so much "collateral damage in the malware authors' attempts to compromise home computers to generate zombie armies."

Shipp based his bot battle take on the fact that one of the most recent bots that exploits the Windows 2000 Plug and Play vulnerability also takes shots at a rival. The Bozori bot, also dubbed Zotob.f, includes code to disable rival bot worms that may be already in place, including Esbot.a, Zotob.b, and Zotob.d.

That practice is common, said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group, and is used by bot authors to maintain control of the machines they've compromised.The most notable back-and-forth between hackers was in early 2004, when the writers of the Bagle and Netsky worm families engaged in a long-running tit for tat exchange where each tried to delete the other's code. The battle led to a veritable flood of malicious code that last weeks.

Some see the beginnings of a repeat.

"In the most significant activity we've seen in more than a year, networks have been invaded over the last 72 hours by at least three fast, vicious groups exploiting vulnerabilities," a spokesperson for Computer Associates said in an e-mail.

Unlike in 2004's Bagle vs. Netsky brouhaha, however, the motive isn't notoriety -- the Netsky author, for instance, was a German teenager -- this battle between bot families is driven by pure capitalism, albeit on a criminal scale.

"Gaining access to an extensive network of compromised computers is a valuable asset to criminals, as the worms can allow them to gain control of the computers and use them to send spam, launch an extortion denial-of-service attack against a Web site, steal confidential information, or blast out new versions of malware to other unsuspecting computer users," said Chris Kraft, senior security analyst for Sophos, in a statement.At least one security analyst, however, doesn't see a criminal conspiracy in the offing, but instead thinks it's just bot business as usual.

"Bots typically include code to automatically disable anti-virus software tools or access to updates, such as Microsoft's Windows Update, or anything else that can detect the bot or take control away from the attacker," said ISS's Ollmann.

"It's a matter of interpretation," he admitted, "but I don't think anyone if actively targeting other botnets. They always take steps to prevent any known bot from working on their compromised machines, so it's more a case of wanting to maintain control that to grab a host on someone else's botnet."

In other Zotob news on Wednesday, MessageLabs said that it had tentatively identified the author of the Zotob variants as a hacker known only as "Diab10," who was responsible for some of the Mytob worms launched this year.

MessageLabs based its Diab10 connection at least in part on the fact that Zotob is very similar to Mytob (which in turn has substantial code from the even-earlier MyDoom)."[This] could spell the beginning of a period of intense malware activity similar to the Netsky-Bagle wars," said MessageLabs in an e-mailed statement.