McAfee’s Virus Report Card – Grim

It’s been a busy six months for the virus-writing folk.

McAfee says the first half of this year has seen more serious viruses than in the whole of last year (sorry, no URL available yet). A large part of this has been the war between the Bagle and Netsky authors, a war that has seen their viruses appear in 215 countries.

What’s perhaps surprising is that this bucks a trend in virus production, where McAfee saw a steady decline in the rate of viruses produced from 2000 to 2003, down to a 5% year over year growth. That seems to be all over, for now at least.

Another weak spot: McAfee noted in the first half of 2004 11 exploits targeting four Microsoft vulnerabilities against 15 exploits targeting seven Microsoft vulnerabilities in the whole of 2003. In other words: More folk making trying to make the most out of fewer holes.

Are The Worm Wars Over?

German police on Friday arrested two men: an 18-year old man in Rotenburg in connection with the Sasser worm, and a 21-year old who confessed to creating a bot called Agobot or Phatbot.

A lot of folk believe the gang responsible for the Sasser worm may also be responsible for the Netsky worms, which have been infecting computer users for most of this year. Sophos’ Graham Cluley, for example, says, “If you scrutinize the most recent Netsky worm, you can see that the author embedded a taunt to anti-virus companies, bragging that he also wrote the Sasser worm. If this is the case, this could be one of the most significant cybercrime arrests of all time.”

Cluely goes on to say: “All these worms have been highly disruptive and complex, suggesting that the author isn’t working alone. Seizing this man’s computers could provide the vital clues that will bring down the infamous ‘Skynet’ virus-writing gang. We would not be surprised if more arrests follow in due course.”

What I’m interested in are claims that the people behind these attacks were not just doing it for fun, but for money, by setting up chains of zombie computers and then selling the connections to spammers and fraudsters. Could this also shed light on the Russian and Eastern European underworld, or are the groups not connected?

Virus Writers As Spotty Juveniles Or Hardened Criminals? Take Your Pick

Was the recent virus war just between kids, or something more sinister?
Mi2g, the British Internet security consultants, reckon not. “Upon analysing the juvenile dialogue between the malware writers of NetSky, Bagle and MyDoom it has been prematurely concluded by a range of commentators that this is a turf war between teenagers or college students seeking global notoriety.  Whilst script kiddies are active in large numbers around the globe benefiting from freely available online hacking and malware authoring tools, a coincidental release of malware variants that have contributed to a tsunami is highly unlikely to be merely the work of teenagers.”
Some folk have pointed to discussion on some online bulletin boards as evidence of the gangstyle war behind these recent viruses. Mi2g see it differently: “It could well be that the teenager-type messages were deliberately left behind by more mature malevolents to benefit from the publicity of their intended disguise that delivers obscurity to the real motives behind this rapid release of malware variants and the colonisation of millions of zombie computers in homes, places of learning, government departments and corporations.”
The fact that Bagle and its many variaents involved advanced social engineering — tricks to persuade you to open, and therefore activate, the virus-laden attachment — suggests a high level of specificity in what the malware writers seek,” mi2g reckon. The email containing the virus mimics the email address domain to which it is being sent, thereby confusing the user (and confusing me too). Other elements convince mi2g these guys are not just mucking about:
  • The backdoors that are left open by MyDoom, for example, cannot be exploited easily by a novice;
  • Hundreds of thousands of tailor-made emails received over the last week carry a Bagle variant, for example, within an encrypted attachment that bypasses the defences of many corporations and ISPs;
  • The rapacious way in which the address books are then plundered across the corporate network also suggests a more legitimate email address harvesting motive than simply an intellectual challenge frenzy between rivals.

Mi2g also points to the NetSky variants which also “sniff for evidence of MyDoom and Bagle infections as well as their previous incarnations before attempting to deactivate them”.  Mi2g concludes that “groups of malware authors are battling for market share of infected computers and there is a protracted turf war underway, where large sums of money or valuable assets are involved. ”

I tend to agree, and have said so, in my usual quiet way. But I think there’s a slight difference in my analysis and theirs. While mi2g say “It would be a folly to assume that all these groups of malware writers, who masquerade as juvenile teenagers, are not linked to trans-national criminal syndicate activity.  All this suggests a grander financial plan than mere bragging rights”, I don’t believe they are grown-ups masquerading as kids. I think they are probably kids who are sharing some of the loot with the gangs.
In fact, I think it may be wrong to think of the people behind these scams as big established gangs. They may be relatively large in number for a culture not known to cooperate but, at a pop, I’d say there were no more than 10 or so per group — and, importantly, they are fluid and ad-hoc. For a scam to work you need someone with the brains to figure out how to extract money (the scammer), someone to do the coding (the coder), and someone to distribute it (the spammer). All of them could, in effect, be kids. To see what life among these kind of folk is like, look no further than Robin Miller’s interview on NewsForge with Andrew D Kirch, a security administrator who recently infiltrated some script kiddie groups. While script kiddies — generally derided for the belief they copy most of the code they use, they don’t write it themselves — may not be up to creating the viruses we’re talking about here, one gets a pretty good general idea of the culture.

The Virus Turf War

More on who’s behind the latest wave of virus attacks.

Mary Landesman of looks at text strings contained in the viruses of Bagle (sometimes Bagel) and MyDoom to show how ”a battle is waging between three groups of virus writers, each attempting to prove superiority over the other.” It’s a very good piece.

But it’s not quite that simple, I suspect. While she quotes a virus analyst at Norman Data Defense Systems, the excellently named Snorre Fagerland, as saying, “We suspect that several virus authors – or factions of virus authors – are competing in creating the most successfully spreading worm. So far we see three different groups or persons, each responsible for their own worm family; NetSky, Bagle, and MyDoom. Text messages inside these worms points in this direction. It seems like they are accusing each other of stealing ideas and code, in an attempt to achieve the highest number of copies spread on the Internet as fast as possible.”

I believe it’s more complex than that. A message in Bagle.J goes: “Hey,NetSky, [expletive] off you [expletive], don’t ruine our bussiness, wanna start a war?” This, Landesman points out, is apparently in response to a string contained in Netsky.C that reads, “]MyDoom.F is a thief of our idea! – -“

My belief is this: A lot of viruses nowadays are business ventures, cobbled together by an informal cabal of computer nerds and folk who want to make money (spammers, scammers). Of course some viruses are just kids in dorms and bedsits messing about for fun. But when the guy(s) behind Bagle.J say ‘don’t ruin our business’ they’re not speaking metaphorically. The Internet is like any other turf, and there’s only so much to go round. What we’re seeing here, I believe, is a turf war among criminals, or possibly between criminals and script kiddies (amateur, and amateurish, virus writers who do it for fun.)

Do Anti-Virus Companies Love Viruses?

Are anti-virus companies behind the viruses?

Avecho, Britain’s ‘complete worry-free mail service’, reckons “the world needs to wake up to the fact that the anti-virus industry is not an anti-virus industry, it is a definition-selling industry and they just love these viruses. The more afraid you are, the more money you spend with them.”

This problem is solvable, quickly, according to avecho. It points to avecho’s own ThreatCENSOR, which “applies a wonderful, simple piece of logic which has stopped MiMail, SoBig, MyDoom and all variations of Bagel and NetSky. It is not rocket science, it is simple and fool-proof. It is based upon the reality of how we work.” ThreatCENSOR works on the simple premise that:

  • viruses are executable code — in other words, globs of computer programs that attach themselves to emails and try to get you, the recipient, to open them.
  • 99% or more of all normal communications do not contain any executable code. “These are documents, graphics, sounds or text. If you want a piece of executable code, you invariably know that you want it, and from whom.”
  • by applying a simple rule ‘I will only accept executable code from people I know – and that I am expecting’, ThreatCENSOR stops over 98% of all viruses, with no traditional anti-virus at all.

It’s not a bad idea, a bit like one mentioned in this blog a week or so back. Of course, avecho have an axe to grind, and they’ve been doing it entertainingly for months, if their press releases are anything to go by (all links are to PDF files):

  • industry passes the blame for infection and propagation of email viruses onto the users;
  • Are viruses here to stay? Only 18 months left for the £2bn traditional anti-virus industry;
  • stopped sobig A technology has existed for over a year which could have completely stopped Sobig. Why are the AV vendors still beating the same old drum?
  • On Wednesday 6th August 03 avecho GlassWall stopped a variation of the MiMail virus that had already successfully passed through a leading industry virus scanner, with up to date virus definitions.

But they do have a point. Somehow we’ve got to find a better way to stop viruses than using updating libraries. What I want to know is: Is there something like this that can work on end-users’ machines, or does everything have to be server based?

Who Is Behind Bagel, NetSky and MyDoom?

Who is behind this latest crop of viruses, and variants on viruses?
Mi2g, a London-based technology security company, reckon that MyDoom and Bagle ”is not the activity of hobbyists but organised criminals” and that Doomjuice.a, which carried the source code of MyDoom.a was “clearly written by the same perpetrators” with the motive of covering their tracks.

That said, mi2g reckon the original NetSky author may merely have been “involved in a turf war with MyDoom and then another turf war with Bagel”. (Yes, it does sound like a bad police series). “That,” mi2g says, “suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain.” Evidence? ”NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the “au.exe” file used by two variants of the Bagle malware.”
This large number of variants in such a short timeframe, mi2g say, “is historically unprecedented”. It’s not clear who is behind these, mi2g say, but whoever it is, “the net beneficiary is organised crime as the number of compromised computers or zombies continues to increase”. These slave computers can be used for anything, from spam to phishing scams to DDoS extortions to working as fileservers for illicit or pirated material.
My guess? Success breeds copycat attacks, and there are an awful lot of folk out there who have the knowledge and the inclination for this kind of thing. It’s no surprise that these attacks are getting worse, and that there is a clear link between virus writing and scams. Hold onto your hat.