, Washington Post 2004-03-04
The programmers behind the ongoing wave of computer worms and viruses hitting
businesses around the world are getting caught in the crossfire, security
experts said yesterday.
In the space of about three hours early Wednesday morning, five new variants of
widespread bugs MyDoom, Bagle and Netsky were spotted roaming the Web. And, in
a new twist, the unknown virus writers have gotten into what amounts to a
shouting match, by placing insults and threats against each other in the coding
of the latest versions of their wares.
It's not entirely clear what the hackers are fighting about. In one case, a
virus writer seemed to be upset that another had lifted the hacker's approach
for spreading the code to other computers.
"MyDoom.f is a thief of our idea!" read one line in the latest version of the
Netsky worm, referring to the "f" variant of a rival piece of software.
The bystanders in this fight are the countless e-mail users who have found
their in-boxes inundated with messages that often seem to come from
acquaintances, directing them to click on an attachment. The attachment
typically triggers the worm to send itself out to everyone in the user's
address book or opens a back door so the hacker can later take control of the
computer.
Ken Dunham, director of malicious code at Reston-based iDefense, said the
authors of Bagle and MyDoom appear, in essence, to be wrestling for remote
control over compromised computers, while the Netsky worm attempts to
deactivate the other two.
"There's a huge pool of computers that are always infected," he said, placing
that figure at somewhere in the low hundreds of thousands. Virus writers "want
to make sure they have complete control of those computers."
Most of the comments tucked inside the latest bugs are brief, unprintable and
poorly spelled. "Bagle -- you are a looser!!!" opined the author of the sixth
version of Netsky. The latest version of Bagle, meanwhile, contained the line
"Hey, NetSky . . . wanna start a war?"
The variants are causing as much trouble as their debut versions. McAfee
Security, part of computer security firm Network Associates Inc., reported that
the latest version of Bagle had clogged computer networks at several Fortune
500 companies. E-mail security firm MessageLabs Inc. reported that one variant
of Netsky was infecting as many as one in 19 e-mails Wednesday morning.
Bagle and MyDoom made their first appearances in January; since then there have
been 11 versions of Bagle and seven of MyDoom, which has been judged the
fastest-spreading worm to hit the Web. Netsky first appeared in February and
there have been six versions so far.
It is not unusual for viruses to come with comments tucked inside their
programming. A note included in the second version of Netsky, for example,
complained that antivirus workers had misnamed the virus. Antivirus companies
will usually not use the name chosen by a virus writer, though sometimes they
will use a variation of that name or reverse the letters; Netsky's author had
apparently wanted the worm to be called Skynet.
Some computer security experts said there is a good chance that the comments
included inside the new versions of Bagle and Netsky are from the original
authors of the bugs, because the source code for those two has not been posted
on hacker sites. The source code for MyDoom, on the other hand, is less
difficult to find online.
Craig Schmugar, virus research manager at Network Associates, said the new
worms were probably not written as direct responses to each other because the
worms take too much time to write.
Computer security experts advise people to regularly update their antivirus
software and to avoid clicking on attachments they are not expecting.
"We are seeing just variation after variation after variation," said Steven
Sundermeier, vice president of products and services at Central Command Inc., a
Medina, Ohio-based antivirus company.
