Latest Worms Duke It Out
It appears that the numerous variants of the Zotob worm that have emerged over the past couple of days may have been salvos in a new worm war between rival online crime groups, according to analysis by Finnish antivirus company F-Secure Corp.
The three worm variants -- dubbed "Bozori," "Zotob," and "IRCBot" -- all exploit a security flaw in Windows that Microsoft issued a patch for last week, and each tries to supplant the other on infected machines, said Mikko Hypponen, chief research officer at F-Secure. Hypponen said it appears that three different virus-writing groups are behind the 11 different versions the company has detected since Sunday.
"This is the worm war of spring 2004 all over again," Hypponen said. "Only now it's king of the bot hill."
Hyponnen is referring to the battle between the author(s) of the Bagle, Mydoom and Netsky worms, which contained within their code plain-text messages insulting rival virus-gang members. The worms also tried to uninstall each other from victimized machines, which rival groups used to relay spam, attack other machines and host phishing scams.
The battle between the Bagle and Mydoom worms continues to this day, with several new variants of each released nearly every month, and their authors remain at large. The Netsky worm also tried to uninstall Bagle and Mydoom, but its original author -- a German teen named Sven Jaschan -- recently pleaded guilty to creating Netsky and the Sasser worm. Jaschan was setenced to a mere 22 months' probation, even though the effects of his activities are still being felt around the world: Netsky variants accounted for 25 percent of all virus reports in the first half of 2005, according to Internet security firm Sophos. The company said Netsky and Sasser combined are were responsible for 70 percent of virus infections in 2004.
Posted by: mjm | August 17, 2005 9:18 PM | Report abuse
Posted by: Matt | August 17, 2005 9:27 PM | Report abuse
Posted by: Avery | August 17, 2005 9:54 PM | Report abuse
Posted by: Avery | August 17, 2005 9:55 PM | Report abuse
Posted by: justin | August 18, 2005 1:20 PM | Report abuse
The comments to this entry are closed.