Security firm mi2g offers some fascinating insight into the malware epidemic:
- As new variants of malware continue to arrive faster than they can be analysed or remedied, the malware tsunami is overwhelming both its victim organisations as well as anti-virus toolkit companies and security professionals across the world. Most security companies, internet service providers and systems administrators have been severely overworked since the initial outbreak of MyDoom in late January with no sign of a let up.
These fast spreading malware epidemics propelled further by new variants, some of which cannot be detected through traditional means, are changing the digital risk landscape forever. The main concern within government agencies and corporate circles is in regard to MyDoom, NetSky and Bagle families’ swift proliferation and evolution through a barrage of variants in a very short space of time. The key questions being asked are as follows:
1. Are MyDoom, NetSky and Bagle variants authored or sponsored by organised criminal syndicates?
In liaising with government agencies, the mi2g Intelligence Unit has learnt that the zombie creating function of the latest malware – especially MyDoom and Bagle – is linked to the requirement to create proxies for spam campaigns, phishing scams and DDoS extortion. This is not the activity of hobbyists but organised criminals.
2. Did the MyDoom authors write Doomjuice to cover their tracks?
MyDoom.c or Doomjuice.a, which carried the source code of MyDoom.a were clearly written by the same perpetrators and their motive for doing so was presumably three fold:
a. Obstruct the efforts of law enforcement agencies attempting to apprehend the author by searching for computers on the internet with the correct source code;
b. Allow others to create more successful variants of MyDoom; and
c. Suggest solidarity with the Open Source community by releasing source code to the public.
3. Is the perpetrator of MyDoom’s later variants a subculture malware writer, ie, someone doing it for bragging rights?
There is a consistent pattern. Earlier variants of MyDoom attacked SCO and Microsoft: SCO because it has been involved in unpopular litigation. RIAA, which is targeted by later MyDoom variants, has also been involved in many unpopular law suits since September 2003.
4. What are the MyDoom, NetSky and Bagle authors doing at present?
The authors could be developing more destructive versions of their malware, having refined the delivery mechanisms, or they could be reverse engineering one of the critical updates released by a popular operating system or application vendor, to target specific vulnerabilities.
5. Who wrote the original NetSky?
It appears that NetSky’s author is involved in a turf war with MyDoom and then another turf war with Bagel. That suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain. NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the “au.exe” file used by two variants of the Bagle malware.
NetSky.c also had the unusual characteristic of sniffing for evidence of a MyDoom or Netsky infection before attempting to deactivate MyDoom.a, MyDoom.b, Netsky.a and Netsky.b. Embedded in Netsky.c’s code were indications that rival groups of malware authors are battling for attention, or at least malware ‘mind share.’
6. Who is writing all the variants we are presently witnessing?
There is a large tsunami of variants being released in a short space of time. This is historically unprecedented. It is also too early to answer this question. The number and frequency of variants being released suggests some dedicated resources are being applied to achieve a specific objective. It is also highly unusual that so many variants of Bagle have appeared in such a short period. It could be that the Bagle perpetrators are refining their ‘work-in-progress’ to keep it ahead of the anti-virus companies’ solutions iteratively. That is the only
plausible explanation as to why .f and .g are virtually indistinguishable and both expire on the same date in late March.
7. Is the current tidal wave simply a revival of intellectual challenge seekers spurred on by the work of organised crime malware authors? If this is the case, doesn’t the confusion help organized crime?
There is a possibility that intellectual challenge seekers or bragging rights seekers are working simultaneously at creating new variants. Either way, the net beneficiary is organised crime as the number of compromised computers or zombies continues to increase. Those zombies can be used for a variety of malevolent or clandestine purposes from launching spam campaigns to phishing scams and also from carrying out DDoS extortions to working as fileservers for illicit or pirated material.
mi2g Intelligence Unit preliminary data shows that NetSky.d has already caused between $405 million and $495 million in estimated damages worldwide. Taken together, the NetSky family has climbed to 8th rank, in The Top 20 Table of most damaging malware maintained by mi2g since 1995, with estimated economic damage between $7.1bn and $8.7bn worldwide. Netsky.D appeared to be particularly fast-spreading, with Europe showing the most infections, while Africa experienced the worst rate of infection, having a higher number of infections per PC. Australia has not featured at this stage, but the worst affected countries are primarily West European, followed by the US and Japan.
People, clean out your computers with a program like Spybot Search and Destroy, then don’t open attached files from people you don’t know. Since my address is so public, it is being spoofed viciously – if you get an email from me with an attachment, IT’S NOT FROM ME AND DON’T OPEN IT. I don’t send attachments. Also, make sure you have updated security patches from Microsoft if you use a Microsoft operating system.