Explore Newsletters from ECT News Network » View Samples | Subscribe
Welcome Guest | Sign In
TechNewsWorld.com

Worm Variants Part of Russian Mafia Extortion Scheme

By Jay Lyman
Mar 15, 2004 10:00 AM PT

The recent spate of computer worms have included elements of spamming and a supposed battle of words between different malware authors, but the real intent of the dueling viruses is to deny site availability to online gaming companies and other sites that have not complied with Russian mobsters' demands, Gartner research director Richard Stiennon told TechNewsWorld.

Worm Variants Part of Russian Mafia Extortion Scheme

"The worm writers this time around are really cyber criminals in Russia," Stiennon said of the Bagle, Netsky and MyDoom variants. "They're using [the worms] to recruit bots (compromised computers) to launch denial-of-service attacks, mostly against online gaming sites, after failing to extort large payments from the sites."

Stiennon said the war against online gaming sites, which make large amounts of money that are dependent primarily on the sites being up and running, could be followed by attacks on e-commerce sites and other targets.

"They can't afford to be down. It's not like SCO. Who cares if they're down?" Stiennon said, referring to the Utah software company that reportedly has been subjected to denial-of-service attacks from its foes. "Banking, e-commerce sites -- they will suffer this kind of threat," he added.

Building Blocks

As evidenced by new tricks from variants of the Bagle worm and the release of source code for the equally offending Netsky worm, the growing availability of tools to generate malicious network software is now enabling a broader class of attackers to launch successful attacks that disrupt Internet sites and services.

While a war of words and worms between authors of the Bagle, Netsky and Mydoom variants subsided to some extent last week, the rash of different successive variants shows how easy it has become to create a different worm with a simple replacement of file extension or small piece of code.

"There's more source code out there for nasty worms than there's ever been in the history of computing," iDefense director of malicious code Ken Dunham told TechNewsWorld. "It's dangerous because anybody can put it together."

Worm Writing 101

Dunham explained that while cyber squabbles between rival "script-kiddie" groups have been common for a long time, the battles typically have centered on amassing seized computers via Trojan programs that let the worm writers engage in DoS attacks against their targets of choice. However, virus and worm code, as well as know-how, has spread to a point at which worms are now the "next-generation tool for fights and for spats, as well as notoriety," according to Dunham.

"What we're seeing now is worm technology -- which is traditionally more challenging, more difficult -- is easier to deploy," he said. "The worms are now more of an easy thing to cut your teeth on."

Dunham added that the growth of the Internet has brought with it easy access to source code for hundreds of viruses and worms, as well as forums and chat groups in which virus writers help each other and find answers to their questions.

User Issues

At the same time, unfortunately, there continues to be a large, growing number of users who "will gladly participate in an attack unwillingly," Dunham said, referring to inadequate user deployment of antivirus and firewall protection.

Gartner's Stiennon said corporations, some of which are blocking some or all known affected file extensions in response to the deluge of worms, are grappling with the problem of their own users introducing malicious code into their networks.

"It is just making life more difficult," Stiennon said. "Companies are having a lot of frustration. They can't get the darn users to stop opening suspicious files."

Forrester analyst Jan Sundgren told TechNewsWorld that because the onslaught of worms involves mostly variants, traditional antivirus heuristics are catching a lot of them, though he referred to a failure to update antivirus engines and definitions and the pain of corporate file-filtering. There are steps companies can and do take against the worms, Sundgren said.

Waiting with a Worm?

Dunham likened the competing, continuous stream of malware variants to playground fighting, with the worms representing more of a fistfight than a war of words.

Stiennon, however, indicated the organized crime element is raising suspicions that those responsible for the latest worms also might be sitting on malicious source code to be launched against a vulnerability found last month in Microsoft's Windows operating system. Microsoft provided a patch for the hole in the Abstract Syntax Notation (ASN.1) protocol, but there are likely a large number of machines that remain vulnerable to it.

The latest variants have focused on a previous vulnerability -- the Remote Procedure Call (RPC) hole -- that enabled the Blaster worm last year.

"The reason we haven't seen anything written against ASN is because the RPC ones still have some life left in them," Stiennon speculated.


Subscribe to Tech News Flash Newsletter
How has the pandemic impacted your daily life?
I'm interacting more with family and friends, off and online.
I'm consuming much more news.
I'm escaping through TV shows, movies and books.
I'm spending more time on personal and home projects.
I'm feeling isolated and anxious.
I have less time for work due to distractions.
My work is on the front lines -- I'm overwhelmed.