Worm Variants Part of Russian Mafia Extortion Scheme

The recent spate of computer worms have included elements of spamming and a supposed battle of words between different malware authors, but the real intent of the dueling viruses is to deny site availability to online gaming companies and other sites that have not complied with Russian mobsters’ demands, Gartner research director Richard Stiennon told TechNewsWorld.

“The worm writers this time around are really cyber criminals in Russia,” Stiennon said of the Bagle, Netsky and MyDoom variants. “They’re using [the worms] to recruit bots (compromised computers) to launch denial-of-service attacks, mostly against online gaming sites, after failing to extort large payments from the sites.”

Stiennon said the war against online gaming sites, which make large amounts of money that are dependent primarily on the sites being up and running, could be followed by attacks on e-commerce sites and other targets.

“They can’t afford to be down. It’s not like SCO. Who cares if they’re down?” Stiennon said, referring to the Utah software company that reportedly has been subjected to denial-of-service attacks from its foes. “Banking, e-commerce sites — they will suffer this kind of threat,” he added.

Building Blocks

As evidenced by new tricks from variants of the Bagle worm and the release of source code for the equally offending Netsky worm, the growing availability of tools to generate malicious network software is now enabling a broader class of attackers to launch successful attacks that disrupt Internet sites and services.

While a war of words and worms between authors of the Bagle, Netsky and Mydoom variants subsided to some extent last week, the rash of different successive variants shows how easy it has become to create a different worm with a simple replacement of file extension or small piece of code.

“There’s more source code out there for nasty worms than there’s ever been in the history of computing,” iDefense director of malicious code Ken Dunham told TechNewsWorld. “It’s dangerous because anybody can put it together.”

Worm Writing 101

Dunham explained that while cyber squabbles between rival “script-kiddie” groups have been common for a long time, the battles typically have centered on amassing seized computers via Trojan programs that let the worm writers engage in DoS attacks against their targets of choice. However, virus and worm code, as well as know-how, has spread to a point at which worms are now the “next-generation tool for fights and for spats, as well as notoriety,” according to Dunham.

“What we’re seeing now is worm technology — which is traditionally more challenging, more difficult — is easier to deploy,” he said. “The worms are now more of an easy thing to cut your teeth on.”

Dunham added that the growth of the Internet has brought with it easy access to source code for hundreds of viruses and worms, as well as forums and chat groups in which virus writers help each other and find answers to their questions.

User Issues

At the same time, unfortunately, there continues to be a large, growing number of users who “will gladly participate in an attack unwillingly,” Dunham said, referring to inadequate user deployment of antivirus and firewall protection.

Gartner’s Stiennon said corporations, some of which are blocking some or all known affected file extensions in response to the deluge of worms, are grappling with the problem of their own users introducing malicious code into their networks.

“It is just making life more difficult,” Stiennon said. “Companies are having a lot of frustration. They can’t get the darn users to stop opening suspicious files.”

Forrester analyst Jan Sundgren told TechNewsWorld that because the onslaught of worms involves mostly variants, traditional antivirus heuristics are catching a lot of them, though he referred to a failure to update antivirus engines and definitions and the pain of corporate file-filtering. There are steps companies can and do take against the worms, Sundgren said.

Waiting with a Worm?

Dunham likened the competing, continuous stream of malware variants to playground fighting, with the worms representing more of a fistfight than a war of words.

Stiennon, however, indicated the organized crime element is raising suspicions that those responsible for the latest worms also might be sitting on malicious source code to be launched against a vulnerability found last month in Microsoft’s Windows operating system. Microsoft provided a patch for the hole in the Abstract Syntax Notation (ASN.1) protocol, but there are likely a large number of machines that remain vulnerable to it.

The latest variants have focused on a previous vulnerability — the Remote Procedure Call (RPC) hole — that enabled the Blaster worm last year.

“The reason we haven’t seen anything written against ASN is because the RPC ones still have some life left in them,” Stiennon speculated.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels