Tag Archives: Sven Jaschan

Are The Worm Wars Over?

German police on Friday arrested two men: an 18-year old man in Rotenburg in connection with the Sasser worm, and a 21-year old who confessed to creating a bot called Agobot or Phatbot.

A lot of folk believe the gang responsible for the Sasser worm may also be responsible for the Netsky worms, which have been infecting computer users for most of this year. Sophos’ Graham Cluley, for example, says, “If you scrutinize the most recent Netsky worm, you can see that the author embedded a taunt to anti-virus companies, bragging that he also wrote the Sasser worm. If this is the case, this could be one of the most significant cybercrime arrests of all time.”

Cluely goes on to say: “All these worms have been highly disruptive and complex, suggesting that the author isn’t working alone. Seizing this man’s computers could provide the vital clues that will bring down the infamous ‘Skynet’ virus-writing gang. We would not be surprised if more arrests follow in due course.”

What I’m interested in are claims that the people behind these attacks were not just doing it for fun, but for money, by setting up chains of zombie computers and then selling the connections to spammers and fraudsters. Could this also shed light on the Russian and Eastern European underworld, or are the groups not connected?

The Virus Turf War

More on who’s behind the latest wave of virus attacks.

Mary Landesman of About.com looks at text strings contained in the viruses of Bagle (sometimes Bagel) and MyDoom to show how ”a battle is waging between three groups of virus writers, each attempting to prove superiority over the other.” It’s a very good piece.

But it’s not quite that simple, I suspect. While she quotes a virus analyst at Norman Data Defense Systems, the excellently named Snorre Fagerland, as saying, “We suspect that several virus authors – or factions of virus authors – are competing in creating the most successfully spreading worm. So far we see three different groups or persons, each responsible for their own worm family; NetSky, Bagle, and MyDoom. Text messages inside these worms points in this direction. It seems like they are accusing each other of stealing ideas and code, in an attempt to achieve the highest number of copies spread on the Internet as fast as possible.”

I believe it’s more complex than that. A message in Bagle.J goes: “Hey,NetSky, [expletive] off you [expletive], don’t ruine our bussiness, wanna start a war?” This, Landesman points out, is apparently in response to a string contained in Netsky.C that reads, “]MyDoom.F is a thief of our idea! – -“

My belief is this: A lot of viruses nowadays are business ventures, cobbled together by an informal cabal of computer nerds and folk who want to make money (spammers, scammers). Of course some viruses are just kids in dorms and bedsits messing about for fun. But when the guy(s) behind Bagle.J say ‘don’t ruin our business’ they’re not speaking metaphorically. The Internet is like any other turf, and there’s only so much to go round. What we’re seeing here, I believe, is a turf war among criminals, or possibly between criminals and script kiddies (amateur, and amateurish, virus writers who do it for fun.)