Virus writers getting personal - and petty
- 04 March, 2004 12:45
No-one's ever accused virus writers of being the epitome of maturity, but the war, if it can be called that, between the creators of NetSky and Bagle has gotten personal -- in a school yard "I know you are but what am I" kind of way.
The two worms, up to variants K and F (Bagle and NetSky respectively), are taking their personal distaste for the other's existence out into the public forum with thinly veiled threats and insults in the code.
The following repartee, courtesy of antivirus company Command Central, is a stellar example of hacker etiquette.
Worm/Bagle.J: "Hey, NetSky, [expletive] off you bitch, don't ruine (sic) our bussiness (sic), wanna start a war?"
Worm/Netsky.F: "Skynet AntiVirus - Bagle - you are a looser!!!!"
Worm/Netsky.C: "we are the skynet - you can't hide yourself! - we kill malware … MyDoom.F is a thief of our idea! … SkyNet AV vs. Malware."
All of this aside, there are serious corporate concerns with these two (three if MyDoom is included) worms.
"It is a bit more than graffiti," vice-president of products and services with Central Command, Steven Sundermeier, said.
There are a lot of casualties with each new creation.
"All the variants are capable of being successful," he said.
Security professionals were scrambling a bit because they are being forced to make sure antivirus systems were updated constantly, Sundermeier said.
"This kind of level where they are just releasing their creations one after another, after another, is completely unique," he said.
The worm writers were apparently quite knowledgeable of how the antivirus industry works because subsequent releases differ just enough from their predecessors to bypass antivirus software (until an update is available).
Symantec's auto-update runs at least once every 24 hours, senior director of engineering with Symantec Global Services, Alfred Huger.
But with releases coming almost as quickly, companies are advised to shore up their email attachment policies.
Sundermeier said some of Central Command's customers were placing a quarantine on all email attachments until the dust settled a little bit.
In Bagle J and K, the payload is stored as a password protected ZIP file.
Huger said this could be a problem because many corporate email policies did not automatically quarantine zip files since they were not viewed as being an executable.
For now it appears that NetSky is the least virulent of the two (bandwidth consumption notwithstanding) since it removes MyDoom and Bagle from infected machines and then propagates itself.
The two others propagated and left a backdoor on infected machines, Huger said.
Bagle leaves port 2745 open, Sundermeier said.