Worm Authors Exchange Taunting Messages

The worm blitzkrieg that started last Friday and showed no signs a ceasing Wednesday stepped up a notch as security analysts probing the code of recent malware discovered a tit-for-tat,

March 3, 2004

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

The worm blitzkrieg that started last Friday and showed no signs a ceasing Wednesday stepped up a notch as security analysts probing the code of recent malware discovered a tit-for-tat, obscenity-laced dialog between battling hacker factions.

According to analysis done by several anti-virus companies, including Central Command, Sophos, and the Finnish-based F-Secure, profanity-plagued messages between the creators of the latest Netsky, Bagle, and MyDoom variations are embedded in the worms' code.

Inside Bagle.j, the eighth variant to debut since Friday, and which first showed Tuesday, is text taunting Netsky that reads "Hey,NetSky, f*** off you b****, don't ruine our bussiness, wanna start a war?" (Not exactly Shakespeare, and the hacker's spell-checker must not be working.)

Within Bagle.k, a new variant that appeared Wednesday, is similar text, said Sophos: "Hey, NetSky, f*** off you b****!"

Netsky.f, another worm discovered Wednesday, sports a retort, according to analysis by F-Secure. Tucked inside its code is the line "Skynet AntiVirus --Bagle -- you are a looser!!!"Even the MyDoom worm family got into the juvenile brouhaha. Stuck inside MyDoom.g, -- a close copy of the original MyDoom loosed on the Internet late Tuesday -- is a long rambling message that reads in part: "to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. they may be called skynets, but not your s***** app."

You get the idea: an IT version of the Jerry Springer show.

Calling the back-and-fourth the first major global "cyber war" between hackers, security firm Central Command noted that the person (or persons) responsible for each of the three worm families involved -- Bagle, Netsky, and now MyDoom -- are battling for control of a huge army of Windows computers that have been compromised by infections, which have opened ports and installed backdoor components on the systems.

"It appears to be a war over power and seniority among these authors," said Steven Sundermeier, Central Commands vice president of products and services, in a statement.

Other security firms, including Sophos have used the word "war" to define what's going on. "Clearly the author of the Bagle worms is unimpressed that Netsky is stealing some of the limelight and most of the headlines," said Graham Cluley, a senior technology consultant for the U.K.-based Sophos.Part of the motivation for the name calling may be the fact that some editions of Netsky, particularly Netsky.d, seek out and destroy some editions of the Bagle worm it finds on infected systems.

The ultimate losers of any hacker cat fight are end users, said Vincent Gullotto, vice president of McAfee's AVERT virus research team. "It's the end user, it's the Internet that suffers," he said. While some mail servers have been temporarily clogged, the Web as a whole hasn't been affected by any performance degradation with the millions of worm-laden messages shunting back and forth. But it gives users -- both corporate and consumer -- fits trying to stay updated against such fast-developing, high-volume threats, and the Internet a black eye.

"In my seven years, I've seen this back-and-forth once or twice or three times, but nothing to this extent," said Gullotto. "There's new variant after new variant, two and three times a day in some cases."

In the last 24 hours, a quartet of new worms or variations on older editions have been spotted by McAfee, said Gullotto, including MyDoom.g, Netsky.f, Bagle.k, and Hiton. Currently, McAfee ranks them all as a "low" threat, while rival Symantec tagged the four with a "2" in its 1 through 5 scale.

The most persistent, and prevalent, of the worms released since Friday remains Netsky.d, which first appeared Monday.MessageLabs, a U.K.-based firm that filters mail for enterprise customers worldwide, said Wednesday that Netsky.d has recently surged in its spread, and now accounts for 1 in every 19 e-mails.

"Although Netsky.d was fairly quiet in the first 24 and 48 hours -- a slow burner, so to speak -- we've seen a jump in the last 12 hours," said Natasha Staley, an information security analyst with MessageLabs.

Of the more than 1.5 million copies of the worm that MessageLabs has intercepted since Monday, said Staley, 700,000 of them were nabbed in last half day.

"At the moment, Netsky.d isn't that far off MyDoom.a in its prevalence," said Staley, noting that at its peak, MyDoom.a accounted for 1 in every 12 e-mails that reached her company's filters.

Read more about:

2004
SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights