Was the recent virus war just between kids, or something more sinister?
Mi2g, the British Internet security consultants, reckon not. “Upon analysing the juvenile dialogue between the malware writers of NetSky, Bagle and MyDoom it has been prematurely concluded by a range of commentators that this is a turf war between teenagers or college students seeking global notoriety. Whilst script kiddies are active in large numbers around the globe benefiting from freely available online hacking and malware authoring tools, a coincidental release of malware variants that have contributed to a tsunami is highly unlikely to be merely the work of teenagers.”
Some folk have pointed to discussion on some online bulletin boards as evidence of the gangstyle war behind these recent viruses. Mi2g see it differently: “It could well be that the teenager-type messages were deliberately left behind by more mature malevolents to benefit from the publicity of their intended disguise that delivers obscurity to the real motives behind this rapid release of malware variants and the colonisation of millions of zombie computers in homes, places of learning, government departments and corporations.”
The fact that Bagle and its many variaents involved advanced social engineering — tricks to persuade you to open, and therefore activate, the virus-laden attachment —
“suggests a high level of specificity in what the malware writers seek,” mi2g reckon. The email containing the virus mimics the email address domain to which it is being sent, thereby confusing the user (and confusing me too). Other elements convince mi2g these guys are not just mucking about:
The backdoors that are left open by MyDoom, for example, cannot be exploited easily by a novice;
Hundreds of thousands of tailor-made emails received over the last week carry a Bagle variant, for example, within an encrypted attachment that bypasses the defences of many corporations and ISPs;
- The rapacious way in which the address books are then plundered across the corporate network also suggests a more ‘legitimate email address‘ harvesting motive than simply an intellectual challenge frenzy between rivals.
Mi2g also points to the NetSky variants which also “sniff for evidence of MyDoom and Bagle infections as well as their previous incarnations before attempting to deactivate them”. Mi2g concludes that “groups of malware authors are battling for market share of infected computers and there is a protracted turf war underway, where large sums of money or valuable assets are involved. ”
I tend to agree, and have said so
, in my usual quiet way. But I think there’s a slight difference in my analysis and theirs. While mi2g say “It would be a folly to assume that all these groups of malware writers, who masquerade as juvenile teenagers, are not linked to trans-national criminal syndicate activity. All this suggests a grander financial plan than mere bragging rights”, I don’t believe they are grown-ups masquerading as kids. I think they are probably kids who are sharing some of the loot with the gangs.
In fact, I think it may be wrong to think of the people behind these scams as big established gangs. They may be relatively large in number for a culture not known to cooperate but, at a pop, I’d say there were no more than 10 or so per group — and, importantly, they are fluid and ad-hoc. For a scam to work you need someone with the brains to figure out how to extract money (the scammer), someone to do the coding (the coder), and someone to distribute it (the spammer). All of them could, in effect, be kids. To see what life among these kind of folk is like, look no further than Robin Miller’s interview on NewsForge with Andrew D Kirch, a security administrator who recently infiltrated some script kiddie groups. While script kiddies — generally derided for the belief they copy most of the code they use, they don’t write it themselves — may not be up to creating the viruses we’re talking about here, one gets a pretty good general idea of the culture.