By Joris Evers
Thursday, August 18 2005 11:41 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,39249475,00.htm

The recent surge in worms could be part of an underground battle to hijack PCs for use in Net crimes, some security experts say--but others aren't convinced.

Signs of a turf war between cybercrooks lie in the behavior of the worms that have emerged since Sunday, said Mikko Hypponen, chief research officer at F-Secure, a Finnish security software company.

The dozen or so worms and variants all exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. But some versions undo the effects of earlier worms, suggesting that the creators are battling to take over computers that others have already compromised, Hypponen said.

"We seem to have a botwar on our hands," Hypponen said Wednesday. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines."

The first worm, dubbed Zotob, appeared on Sunday and appeared to have faded Monday. However, several Zotob offshoots and another new worm, Bozori, were subsequently unleashed. New versions of pre-existing threats Rbot, Sdbot, CodBot and IRCBot also began wriggling their way into computers. Systems at CNN, ABC and The New York Times were hit.

The worms include "bot" code, or a program that lets the attacker control a compromised system remotely. Criminals have typically organized these hijacked systems in networks called "botnets." These botnets are rented out to relay spam and launch phishing scams, which attempt to steal sensitive personal data for fraud. Botnets have also been used to mount denial-of-service attacks against online businesses targeted by extortion schemes, experts have said.

The outbreak has a financial motive, according to Sophos, an antivirus company based in Abingdon, England. "Organized criminal gangs are behind attacks like these, and their motive is to make money. Owning a large network of compromised computers is a valuable asset to these criminals," said Graham Cluley, the senior technology consultant at Sophos.

A botnet of about 5,500 "zombies," or compromised computers, typically costs spammers, phishers or other crooks about US$350 a week, security company Symantec has said.

The worm battle has likely only just begun, said Alex Shipp, a senior antivirus technologist at MessageLabs, an e-mail security company. He said we may well see a period of intense activity in malicious software attacks as these groups vie for "pole position."

Battling worms are not new. Last year, the creators of Bagle, NetSky and MyDoom appeared to be in competition to gain control of large numbers of PCs for use in botnets.

But not everybody is convinced that the same kind of turf war is happening now. Stefana Ribaudo, a director in the threat management sector at Computer Associates, said the company had not seen any viruses or worms that try to detect or remove other worms.

Lysa Myers, a virus research engineer at security software maker McAfee, agreed that there were no real signs of a struggle to control botnets. "This particular worm outbreak is so small that there really is no room for an offensive strategy," she said.

If there is anything going on, it is just an underground rivalry, said John Pironti, a principal security consultant at Unisys, an IT services company in Blue Bell, Penn. "Attackers like to boast about how many machines they have under their control," he said. "What you are potentially seeing is that it is a contest."

If the purpose was really to expand botnets, attackers would use more sophisticated methods that fly under the radar of antivirus companies, Pironti said.

Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its monthly patching cycle last week. The software maker deemed the issue "critical," its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems.

The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix.

Infected machines can be cleaned up using tools available from antivirus software makers, including Symantec. Windows 2000 users who have not patched should do so as soon as possible, Microsoft has urged.