Cyber villains clash for world domination
Virus makers trade coded insults in battle for spammers' dollars
Gillian Shaw
Vancouver Sun
Thursday, March 04, 2004
Computer users awoke to an explosion of competing electronic viruses Wednesday as three virus creators clashed in the first cyber struggle for world domination of the Internet.
At stake are vast armies of Internet-connected computers that virus makers are trying to control. Once under their control, they sell access to the computers to spammers, who use them to send out a constant barrage of junk mail.
It comes down to a fight for the spammers' dollars, with computer users caught in the crossfire.
In this battle for cyber dominance, one author has created a virus that wipes out the other two and the virus authors are engaged in an expletive-loaded discussion that is contained in the binary codes of the virus variants they are creating.
"These three virus authors seem to be running an argument and they are sending comments to each other in the viruses," said Alfred Huger, senior director of engineering with Symantec, an Internet security company and maker of Norton AntiVirus software. "It is their way of having a discussion. To have a discussion they need to release more variants of their viruses [in order to carry on the debate.]
"It is pretty scary -- the more so because it is juvenile and these guys are using a pretty destructive medium to carry on this argument," he said.
The most insidious of the virus variants is one that purports to be from the computer user's company tech support or their Internet service provider and asks them to open a password-protected e-mail attachment for instructions. Once opened, the attachment releases the virus.
That action triggers a worm that leaves a back door to the computer open, allowing it be controlled from outside and used to send spam.
The wording of the discussion and the frequency with which new variants are released indicates it is all-out war.
"The short period of time between each new worm release, by the same set of virus-writing groups, is real reason for alarm, especially since so many of them have successfully compromised systems worldwide," Steven Sundermeier, vice-president of products and services at Central Command, an anti-virus company, said in a news release. "It's a direct attack on the response times of antivirus companies, a strain on IT professionals, a financial impact on businesses, and appears to be a war over power and seniority among these authors.
"Unfortunately, the global fight over superiority may result in a victory for the cyber combatants but not for the general Internet user population."
Inboxes have been flooded with the viruses, which are the latest variants of Mydoom, Netsky and Beagle, also known as Bagle.
Since Feb. 27, nine variants of the Beagle/Bagle worm have been released, according to Central Command. Four of these have successfully proliferated around the globe. During the same time, the author or authors behind the Netsky Internet worm have released three versions of their own.
Netsky's sole purpose appears to be to disable the Mydoom and Beagle/Bagle virus on infected computers. The creator or creators of MyDoom responded with the release of MyDoom.G, an updated version that was not disabled by Netsky.
Netsky's author is no white knight out to save the cyber world. Instead, that virus is disabling its competition simply so it can take control of more PCs.
"There is a valuable commodity, which is the home PC which they can turn into a zombie for the delivery of spam," said Jesse Dougherty, director of development at Sophos Inc., an e-mail security company with North American headquarters in Vancouver.
"They take over PCs and then those machines are used in large blocks by spammers. The virus writers end up with huge blocks of zombie machines that they can lease to a spammer -- it's a battle of economics."
In a communication contained in the virus code, the Bagle/Beagle creator wrote: "Hey, NetSky, (expletive deleted) off you bitch, don't ruine our bussiness, wanna start a war?"
Zombie computers have an expiry date, so there is constant competition among virus writers to control new machines.
"They're trying to colonize," Dougherty said. "There are millions of these owned machines around the Net, [but] after they are used for a short period of time, are no longer useful."
That's because the worms contain a time out, to fuel demand for new machines.
"They will die at some point," Dougherty said. "When virus authors lease the computers to spammers, they don't want them to have access ad infinitum.
"The virus writer with the most fresh zombies is the one making the most money."
Shaw and Telus Internet service providers were warning customers Wednesday about the threat posed by the type of virus that purports to be from the computer user's company tech support or their Internet service.
The latest variant of the Beagle/Bagle virus, is particularly devious because it uses the Shaw name and pretends to be from the Internet provider's staff.
It can also pretend to be from corporate technical staff, as this example that arrived in an e-mail account at our newspaper demonstrates. It reads,
"Dear user of e-mail server "Canwest.com",
"Your e-mail account has been temporary disabled because of unauthorized access.
"For further details see the attach.
"Attached file protected with the password for security reasons. Password is 17338. Sincerely, The Canwest.com team."
Similar messages appear to come from Telus and Shaw staff.
One e-mail claiming to be from Shaw tells recipients to configure "our free auto-forwarding service" if they don't want their e-mail service to be interrupted.
"These guys are quite coy and sneaky," Shaw Communications president Peter Bissonnette said of the virus authors.
"When people get a message with 'I love you,' in the subject line, they'll delete it because they know it's a virus.
"But this one looks like it's important. People get fooled into opening it up and all you do is promulgate the virus."
Bissonnette said once the new variant was identified in the system Wednesday, the service provider was able to block it to protect customers. Shaw offers free scanning and virus removal through its Web site for customers who activated the virus.
Telus representative Karen Dosanjh said the latest variation of the virus, which Telus refers to as Bagle, is particularly challenging because it arrives in inboxes disguised as what looks like a warning notification from the service provider.
"Customers should be advised that Telus does not send out e-mail communications to customers including attachments, to avoid this type of situation," she said. "That is something we never do."
Telus offers an anti-virus service with its high speed Internet service.
- - -
WORM TALK
Some examples of the discussion between virus writers that has been extracted by the anti-virus company Command Central from the code used to create the warring worms:
Worm/Bagle.J: Hey, NetSky, (expletive deleted) off you bitch, don't
ruine our bussiness, wanna start a war?
Worm/Bagle.K: Hey, NetSky, (expletive deleted) off you bitch!
Worm/Netsky.F: Skynet AntiVirus -- Bagle -- you are a looser!!!!
Worm/Netsky.D: be aware!...
Worm/Netsky.C: we are the skynet -- you can't hide yourself!
- we kill malware ... MyDoom.F is a thief of our idea! ...SkyNet AV vs. Malware
© The Vancouver Sun 2004