What's Behind the Email Malware Flood? - Page 2

There is a consistent pattern. Earlier variants of MyDoom attacked SCO and Microsoft: SCO because it has been involved in unpopular litigation. RIAA, which is targeted by later MyDoom variants, has also been involved in many unpopular law suits since September 2003.

4. What are the MyDoom, NetSky and Bagle authors doing at present?

The authors could be developing more destructive versions of their malware, having refined the delivery mechanisms, or they could be reverse engineering one of the critical updates released by a popular operating system or application vendor, to target specific vulnerabilities.

5. Who wrote the original NetSky?

It appears that NetSky's author is involved in a turf war with MyDoom and then another turf war with Bagel. That suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain. NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the "au.exe" file used by two variants of the Bagle malware.

NetSky.c also had the unusual characteristic of sniffing for evidence of a MyDoom or Netsky infection before attempting to deactivate MyDoom.a, MyDoom.b, Netsky.a and Netsky.b. Embedded in Netsky.c's code were indications that rival groups of malware authors are battling for attention, or at least malware 'mind share.'

6. Who is writing all the variants we are presently witnessing?

There is a large tsunami of variants being released in a short space of time. This is historically unprecedented. It is also too early to answer this question. The number and frequency of variants being released suggests some dedicated resources are being applied to achieve a specific objective. It is also highly unusual that so many variants of Bagle have appeared in such a short period. It could be that the Bagle perpetrators are refining their 'work-in-progress' to keep it ahead of the anti-virus companies' solutions iteratively. That is the only
plausible explanation as to why .f and .g are virtually indistinguishable and both expire on the same date in late March.

Article Author: Eric Olsen

Career media professional Eric Olsen is honored to be the founder and former publisher of Blogcritics.org, and former publisher of Technorati.com, which both rule. He is now editor, co-founder, and CEO of The Morton Report.

Visit Eric Olsen's author page — Eric Olsen's Blog