Security firm mi2g offers some fascinating insight into the malware epidemic:

As new variants of malware continue to arrive faster than they can be analysed or remedied, the malware tsunami is overwhelming both its victim organisations as well as anti-virus toolkit companies and security professionals across the world. Most security companies, internet service providers and systems administrators have been severely overworked since the initial outbreak of MyDoom in late January with no sign of a let up.

These fast spreading malware epidemics propelled further by new variants, some of which cannot be detected through traditional means, are changing the digital risk landscape forever. The main concern within government agencies and corporate circles is in regard to MyDoom, NetSky and Bagle families' swift proliferation and evolution through a barrage of variants in a very short space of time. The key questions being asked are as follows:

1. Are MyDoom, NetSky and Bagle variants authored or sponsored by organised criminal syndicates?

In liaising with government agencies, the mi2g Intelligence Unit has learnt that the zombie creating function of the latest malware - especially MyDoom and Bagle - is linked to the requirement to create proxies for spam campaigns, phishing scams and DDoS extortion. This is not the activity of hobbyists but organised criminals.

2. Did the MyDoom authors write Doomjuice to cover their tracks?

MyDoom.c or Doomjuice.a, which carried the source code of MyDoom.a were clearly written by the same perpetrators and their motive for doing so was presumably three fold:

a. Obstruct the efforts of law enforcement agencies attempting to apprehend the author by searching for computers on the internet with the correct source code;

b. Allow others to create more successful variants of MyDoom; and

c. Suggest solidarity with the Open Source community by releasing source code to the public.

3. Is the perpetrator of MyDoom's later variants a subculture malware writer, ie, someone doing it for bragging rights?

There is a consistent pattern. Earlier variants of MyDoom attacked SCO and Microsoft: SCO because it has been involved in unpopular litigation. RIAA, which is targeted by later MyDoom variants, has also been involved in many unpopular law suits since September 2003.

4. What are the MyDoom, NetSky and Bagle authors doing at present?

The authors could be developing more destructive versions of their malware, having refined the delivery mechanisms, or they could be reverse engineering one of the critical updates released by a popular operating system or application vendor, to target specific vulnerabilities.

5. Who wrote the original NetSky?

It appears that NetSky's author is involved in a turf war with MyDoom and then another turf war with Bagel. That suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain. NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the "au.exe" file used by two variants of the Bagle malware.

page 1 | 2