 |
 MyDoom, Bagle and Netsky fight for Internet control
March 4, 2004
New versions of MyDoom, Bagle and Netsky come up as the battle to control computers around the world heats up.
Security agencies have issued alerts for MyDoom-G and H, Bagle-J and K and Netsky F.
The new worm versions were rated "low" threats by Symantec Corp., indicating that they were spreading slowly. However, Network Associates Inc.'s McAfee antivirus unit increased its rating of Bagle.H from a low to a "medium" threat, based on an increased number of submissions from customers and other Internet users.
Both new versions of the Bagle worm spread in .zip files that require passwords to open, similar to the Bagle.F and Bagle.G variants that appeared over the weekend. The virus authors provide the password to unlock the .zip file in the e-mail message containing the virus.
MyDoom-G also stops itself from sending on its infected mails to antivirus companies in the hope that it will delay them from getting wind of these new variants. 'They are trying to avoid us, so that users have to send infected emails on to us manually,' said Graham Cluley, senior technology consultant for Sophos, 'But we've got honeypots around the world to pick these things up that the virus writers don't know about.'
MyDoom-G will also launch a denial of service attack against Symantec's site. Its Norton antivirus software is popular with home users, and if the attack is anything like as successful as MyDoom-A was against SCO, its customers may have difficulty updating their software to protect against infection.
Antivirus experts don't know who is to blame for the flood of new worm variants that have appeared since mid-January, when Bagle and Mydoom first surfaced. Competing groups of virus writers may be behind the releases, using worms to battle for Internet turf that is measured in compromised hosts, but there's a chance than this may be one huge or small group, or whatever else - now it cannot be said for certain.
The most curious thing is that the viruses appear to fight each other: NetSky D seeks out and removes evidence of MyDoom infections and also edits out Registry keys used by two Bagle variants. Likewise, NetSky-C also rids computers it infects of MyDoom and previous incarnations of the NetSky virus. Some variants of Bagle try to behave the same way against MyDoom and NetSky itself.
Researchers are also looking at the security risks posed by the viruses, many of which open communications ports on infected systems that can be used to upload malicious software or remotely control the infected systems, but it doesn't seem to be primary goal of these worms.
It may be, for example, like that spammers are taking advantage of the virus writing community to create an army of zombie computers to send out spam for them.
Anyway, to avoid getting infiltrated it is recommended to take extreme care handling email, especially that came from an unknown source, or was not expected. ISPs are also advised to give the users an opportunity to completely block executable or binary attachments, which will also save network bandwidth and help protect novice users from an accident infection.
|
|
