[ISN] Watch out for worm wars

[InfoSec News]

http://news.zdnet.com/2100-1009_22-5837147.html

By Joris Evers
CNET News.com 
August 17, 2005

The recent surge in worms could be part of an underground battle to
hijack PCs for use in Net crimes, some security experts say--but
others aren't convinced.

Signs of a turf war between cybercrooks lie in the behavior of the
worms that have emerged since Sunday, said Mikko Hypponen, chief
research officer at F-Secure, a Finnish security software company.

The dozen or so worms and variants all exploit a security hole in the
plug-and-play feature in the Windows 2000 operating system. But some
versions undo the effects of earlier worms, suggesting that the
creators are battling to take over computers that others have already
compromised, Hypponen said.

"We seem to have a botwar on our hands," Hypponen said Wednesday.  
"There appear to be three different virus-writing gangs turning out
new worms at an alarming rate, as if they were competing to build the
biggest network of infected machines."

The first worm, dubbed Zotob, appeared on Sunday and appeared to have
faded Monday. However, several Zotob offshoots and another new worm,
Bozori, were subsequently unleashed. New versions of pre-existing
threats Rbot, Sdbot, CodBot and IRCBot also began wriggling their way
into computers. Systems at CNN, ABC and The New York Times were hit.

The worms include "bot" code, or a program that lets the attacker
control a compromised system remotely. Criminals have typically
organized these hijacked systems in networks called "botnets." These
botnets are rented out to relay spam and launch phishing scams, which
attempt to steal sensitive personal data for fraud. Botnets have also
been used to mount denial-of-service attacks against online businesses
targeted by extortion schemes, experts have said.

The outbreak has a financial motive, according to Sophos, an antivirus
company based in Abingdon, England. "Organized criminal gangs are
behind attacks like these, and their motive is to make money. Owning a
large network of compromised computers is a valuable asset to these
criminals," said Graham Cluley, the senior technology consultant at
Sophos.

A botnet of about 5,500 "zombies," or compromised computers, typically
costs spammers, phishers or other crooks about $350 a week, security
company Symantec has said.

The worm battle has likely only just begun, said Alex Shipp, a senior
antivirus technologist at MessageLabs, an e-mail security company. He
said we may well see a period of intense activity in malicious
software attacks as these groups vie for "pole position."

Battling worms are not new. Last year, the creators of Bagle, NetSky
and MyDoom appeared to be in competition to gain control of large
numbers of PCs for use in botnets.

But not everybody is convinced that the same kind of turf war is
happening now. Stefana Ribaudo, a director in the threat management
sector at Computer Associates, said the company had not seen any
viruses or worms that try to detect or remove other worms.

Lysa Myers, a virus research engineer at security software maker
McAfee, agreed that there were no real signs of a struggle to control
botnets. "This particular worm outbreak is so small that there really
is no room for an offensive strategy," she said.

If there is anything going on, it is just an underground rivalry, said
John Pironti, a principal security consultant at Unisys, an IT
services company in Blue Bell, Penn. "Attackers like to boast about
how many machines they have under their control," he said. "What you
are potentially seeing is that it is a contest."

If the purpose was really to expand botnets, attackers would use more
sophisticated methods that fly under the radar of antivirus companies,
Pironti said.

Microsoft offered a fix for the Windows plug-and-play bug exploited by
the worms in its monthly patching cycle last week. The software maker
deemed the issue "critical," its most serious rating. The first Zotob
variant appeared in record time after Microsoft's patch release,
giving Windows users little time to fix their systems.

The security issue affects Windows XP and Windows Server 2003, but
only PCs running Windows 2000 are susceptible to a remote attack,
Microsoft has said.

There are desktop and server versions of Windows 2000, which was
released in 2000 for business users rather than consumers. More recent
editions of Windows are available, but Windows 2000 remains popular.  
The operating system ran on 48 percent of business PCs during the
first quarter of 2005, according to a recent study by AssetMetrix.

Infected machines can be cleaned up using tools available from
antivirus software makers, including Symantec. Windows 2000 users who
have not patched should do so as soon as possible, Microsoft has
urged.