After a major virus or worm outbreak like Sasser, I'm frequently asked, "Who are these people?" or, "What are they doing, releasing these viruses?" To answer, I point to Clive Thompson's in-depth article for the New York Times Magazine profiling groups of young virus writers who create viral code for fun and games. It now appears that one gang of virus writers is behind Sasser -- and the nearly 30 variations of Netsky we've seen since February.
I'm not saying that the specific individuals profiled in Thompson's piece are those responsible for Sasser; still, his article gives some perspective on the underlying mentality. Like their urban gang counterparts, virus gangs are interested in marking territory on the Internet and showing off their elite skills. For example, Skynet, the gang I believe is behind Sasser and Netsky, doesn't use IRC chat rooms to communicate. That would be too easy. Instead, members of Skynet use messages within their own viral creations.
Programmers often leave plain-text statements within their code. From statements found embedded within recent viruses, we know that there's been a turf battle raging since February between Skynet, the viral authors of Bagle, and the viral authors using the publicly available MyDoom source code. From Netsky.c: "We are the skynet--you can't hide yourself---we kill malware...MyDoom.f is a thief of our idea!" To which the author of MyDoom.g responded: "Hey, NetSky...Don't ruin our business, wanna start a war?" Mostly the messages have been little more than taunts, and these taunts have even extended to antivirus vendors themselves.
To advance their dialogue, the Skynet and Bagle virus gangs have been hammering out competing viral code every couple of days. Thus, both Netsky and Bagle have depleted the 26 letters of the alphabet and are now into double letters, producing variations known as Bagle.aa and Netsky.ac. Most of these variations have been little more than background noise on the Internet, but some, such as Netsky.p, have been very successful, rising to the level of a medium threat.
| Like their urban gang counterparts, virus gangs are interested in marking territory on the Internet and showing off their elite skills. |
Further analysis provided by antivirus researcher Mikko Hipponen of F-Secure also finds programming similarities between Sasser and Netsky. While it's possible two different programmers coded these, the order of the procedure calls and the overall structure of the two programs suggest a common point of origin.
A complete study of Sasser variations a through d has been published by the security company Lurhq, showing that if the authors of Netsky are responsible for Sasser, there are as many differences as similarities. While Netsky tries to open back doors on infected computers, and these compromised machines are ostensibly sold to spammers to relay their wares, Sasser does no such thing. Sasser isn't malicious; it's much more of an annoyance. So what's its point?
I think the Skynet gang is simply marking territory. Since the Microsoft patch MS04-011 (the recommended remedy for Sasser infections) fixes up to 14 specific vulnerabilities, the authors of Sasser have effectively blocked others from creating a major virus or worm that exploits flaws in SSL or ANS.1, for which exploits already exist. While Sasser doesn't completely rule out someone creating a worm or a virus that exploits those flaws, this worm makes it less likely because the number of patched systems has gone up exponentially since May 1, 2004.
Should we thank Skynet for releasing a relatively benign worm that got everyone to patch their systems in advance of something even worse? No. In my mind, the members of Skynet are still thugs.
By putting a firewall on your desktop, by updating your PC with the latest Microsoft updates, you can prevent Skynet and other viral gangs from claiming bragging rights. By succeeding in getting everyone to secure their PCs, I think Skynet and others will ultimately fail.
> By succeeding in getting everyone to secure
> their PCs, I think Skynet and others will
> ultimately fail.
My thoughts:
They'll keep winning as long as there is pathetic QA testing within Microsoft. If Microsoft increased their QA testing and produced flawless code, then the likes of Skynet might start failing. They will, however, never stop.