Several peer-to-peer (P2P) networks, including Kazaa and eDonkey, are bracing for an anticipated attack by the latest variant of the Netsky-Q worm, the latest example of virus writers taking direct aim at specific companies and Web sites.
As of Thursday morning, both networks were still operating, although eDonkey had established a mirror site to keep traffic moving in case it was brought down. A note on the eDonkey homepage said the site had been expecting the distributed of denial-of-service (DDoS) attack to begin at midnight but had yet to see any signs of the expected deluge.
The Kazaa site remained accessible, but two smaller sites that offer hacking-and-cracking tools for sharing on the Web, www.cracks.am and www.cracks.st, both were down.
Security vendors warned that, even if it is not catastrophic, the Netsky-Q variant still packs a potential wallop and appears poised to attack a handful of P2P sites before Easter Sunday.
Sophos senior technology consultant Graham Cluley told the E-Commerce Times that the timing of the attack over what is in many parts of the world a long holiday weekend may enable it to be carried out without detection on many users’ PCs.
Cluley said the worm essentially strikes when the clock of infected computers turns to midnight on April 8th. This means the attack could have begun starting midday Wednesday in the United States, when countries in the Asia-Pacific region began to reach that time.
Researchers have not come to any conclusions about who may be responsible for Netsky.Q, which is the latest variant of the worm to plague the Web. During March, some 60 percent of all virus payload tracked online by Sophos was attributed to some variation of Netsky. The discovery earlier this week of two new versions of the worm — probably written by different authors — brings the total number of Netsky variants now in the wild to 20.
Cluley said it seems somewhat ironic that the attacks would target P2P networks, because past attacks focused on high-profile corporate sites. The SCO Group, for instance, which is waging an all-out legal war against the open-source Linux operating system, suffered lengthy Web site outages earlier this year after an attack.
Microsoft and the Recording Industry Association of America (RIAA) also have been victims of such attacks, which recruit infected computers as unwitting participants in a data onslaught that slows or crashes servers.
While past targeted attacks seemed to send a clear political message, “It’s not exactly clear what the theme of this attack is,” Cluley said. Although some have speculated that Kazaa and other sites have become more commercial and legitimate of late, making them more likely targets, that is not the case with all of the sites on the Netsky-Q attack list. And while some versions of the worm contain a message saying the malware’s authors oppose file-sharing, they also claim to be against hacking and virus-writing, undermining the credibility of those messages.
Ken Dunham, iDefense director of malicious code, said the plethora of Netsky variants is an alarming sign that the original worm writer may have freely shared code with other virus writers.
“That kind of sharing is just going to accelerate the pace at which new viruses appear,” Dunham told the E-Commerce Times. “Suddenly, people who may have had the intent or desire but not the technical skills can get into the virus-writing game.”