Personal Tech Pipeline | New Worm War Brewing

White Papers

Sponsor Resources

Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

August 17, 2005

New Worm War Brewing

Courtesy of TechWeb News

Just as the author of the Zotob bot worm was tentatively identified Wednesday as the same individual who wrote some of the Mytob worms, several security firms warned users that a Bagle vs. Netsky-style battle between bots is under way.

"Competing factions seem to be dueling for control of the botnets of PCs in order to perpetrate wider Internet criminal activity," said Alex Shipp, a senior anti-virus technologist at U.K.-based security vendor MessageLabs, in a statement e-mailed to TechWeb. "We may well now see a period of intense malware activity as these groups vie for pole position."

He also claimed that the businesses hit by the attack are only so much "collateral damage in the malware authors' attempts to compromise home computers to generate zombie armies."

Shipp based his bot battle take on the fact that one of the most recent bots that exploits the Windows 2000 Plug and Play vulnerability also takes shots at a rival. The Bozori bot, also dubbed Zotob.f, includes code to disable rival bot worms that may be already in place, including Esbot.a, Zotob.b, and Zotob.d.

That practice is common, said Gunter Ollmann, the director of Internet Security Systems' (ISS) X-force research group, and is used by bot authors to maintain control of the machines they've compromised.

The most notable back-and-forth between hackers was in early 2004, when the writers of the Bagle and Netsky worm families engaged in a long-running tit for tat exchange where each tried to delete the other's code. The battle led to a veritable flood of malicious code that last weeks.

Some see the beginnings of a repeat.

"In the most significant activity we've seen in more than a year, networks have been invaded over the last 72 hours by at least three fast, vicious groups exploiting vulnerabilities," a spokesperson for Computer Associates said in an e-mail.

Unlike in 2004's Bagle vs. Netsky brouhaha, however, the motive isn't notoriety -- the Netsky author, for instance, was a German teenager -- this battle between bot families is driven by pure capitalism, albeit on a criminal scale.

"Gaining access to an extensive network of compromised computers is a valuable asset to criminals, as the worms can allow them to gain control of the computers and use them to send spam, launch an extortion denial-of-service attack against a Web site, steal confidential information, or blast out new versions of malware to other unsuspecting computer users," said Chris Kraft, senior security analyst for Sophos, in a statement.

At least one security analyst, however, doesn't see a criminal conspiracy in the offing, but instead thinks it's just bot business as usual.

"Bots typically include code to automatically disable anti-virus software tools or access to updates, such as Microsoft's Windows Update, or anything else that can detect the bot or take control away from the attacker," said ISS's Ollmann.

"It's a matter of interpretation," he admitted, "but I don't think anyone if actively targeting other botnets. They always take steps to prevent any known bot from working on their compromised machines, so it's more a case of wanting to maintain control that to grab a host on someone else's botnet."

In other Zotob news on Wednesday, MessageLabs said that it had tentatively identified the author of the Zotob variants as a hacker known only as "Diab10," who was responsible for some of the Mytob worms launched this year.

MessageLabs based its Diab10 connection at least in part on the fact that Zotob is very similar to Mytob (which in turn has substantial code from the even-earlier MyDoom).

"[This] could spell the beginning of a period of intense malware activity similar to the Netsky-Bagle wars," said MessageLabs in an e-mailed statement.

E-mail This Story
Print This Story
Reprint This Story

Get the latest Personal Tech news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

<A HREF=";FlightID=43527&amp;AdID=72504&amp;TargetID=3743&amp;Segments=1411,1892,2691,3108,3448,4526,4760&amp;Targets=1491,2625,2878,3743&amp;Values=34,46,51,63,77,85,90,100,140,222,227,399,442,645,646,659,1184,1405,1431,1716,1767,1785,1798,1901,1925,1935,1936,1945,1970,2217,2299,2310,2329,2352,2678,2787,2862,2878,2942,2956,3229,3262,3347,3385&amp;RawValues=&amp;Redirect=" target="_top"><IMG SRC="" WIDTH=300 HEIGHT=250 BORDER=0></A>

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
How to Achieve High Performance Through IT
Learn to achieve high performance by aligning IT to
strategic objectives and solutions to unlock that value.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?

In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.

Transform your IT infrastructure with IBM
Successful CIOs see IT as a prime stimulus for business innovation-and themselves as key participants in a process that develops business and IT strategies in concert. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

SEC & HIPAA IM Compliance
Satisfy regulatory and compliance requirements for instant messaging.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Understand the financial impact of open source.
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss. Go!

Buy a Link Now

Top ten search terms from the TechWeb TechEncyclopedia
How does your pay rate? Check the InformationWeek Salary Survey
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia