Worm Writers One-Up Each Other

The battle to capture your e-mail address has gone to new levels: deleting competing worms.

Keeping virus-hunters especially busy, recent versions of the well-traveled worms Bagle, MyDoom, and Netsky appear to be battling for which will ultimately own infected users’ computers, with Netsky literally deleting the competition.

At the same time, each new version creatively disses the competition. “You are a looser!!!!” reads Netsky.F, to which the partial Bagle.I reply is, “don't ruine our bussiness, wanna start a war ?” Grammatically speaking, for the most part only the expletives are spelled correctly.

Bad grammar aside, security experts say the taunts perhaps explain why so many versions of recent worms are suddenly at large.

Over the course of just three hours in early March, anti-virus provider Kaspersky Labs “detected five new modifications of notorious malicious programs: Bagle.i and Bagle.j, Mydoom.f and Mydoom.g, and Netsky.f. The situation is further complicated by the fact that these programs have already caused mass infection,” says the company.

The symptoms are, by now, well known to PC owners, since e-mails arriving from “support,” for example, with such subject lines as “your IP has been logged” and “servers were be completely down for 2 days,” have been clogging in-boxes. Most contain attachments that, if executed, will load a worm onto the PC, ultimately sending more e-mails. Some e-mails sport attachments saved in encrypted zip format, to sneak the attachment past perimeter-scanning software, which can’t read encrypted files. The worm-generated e-mail helpfully includes the decryption password so users can still run the worm.

All worms search infected PCs for e-mail addresses. Some look for additional information or also install backdoors.

Since the end of February, no fewer than nine versions of Bagle have appeared, four of which successfully infected many computers. The interesting thing, however, is that Netsky actively targets the other worms, removing most when found. Displaying a surprising grasp of supply-and-demand economics, Netsky’s authors are apparently liquidating the competition—they don’t want other worm authors to share in the harvested information. Fighting back, MyDoom’s authors have responded with a new version (MyDoom.G) yet to be disabled by Netsky.

All those worms at once is “a direct attack on the response times of antivirus companies, a strain on IT professionals, a financial impact on businesses, and [it] appears to be a war over power and seniority among these authors," says Steven Sundermeier, vice president of products and services at Central Command.

The frustrating thing is no one can seem to turn the e-mail flood off. “It's hard to imagine a more comical situation: a handful of virus writers are playing unpunished with the Internet, and not one member of the Internet community can take decisive action to stop [it],” says Eugene Kaspersky, head of anti-virus research at Kaspersky Labs. “The problem is not that no one wants to change the situation, but that the current architecture of the Internet is completely inconsistent with information security.”

Until that changes, users need to remember the basics. As anti-virus provider Symantec notes, “[we] encourage all users to update their virus definitions on a regular basis and [to not] open any e-mails from unknown sources.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.