PEAX Equipment

Worm authors talk trash


New member
Dec 20, 2000
Jackson, Wyoming
Worm authors talk trash
Last modified: March 3, 2004, 10:33 AM PST
By Munir Kotadia
Special to CNET

Security researchers have discovered that the authors of MyDoom and Bagle are exchanging insults with the author of NetSky, using text hidden inside their virus code.

Between Friday and Wednesday, more than 10 variants of the NetSky, Bagle and MyDoom worms have been discovered. Mutants spreading in the past 24 hours have contained messages, complete with vulgar taunts, that indicate that the authors of MyDoom and Bagle have teamed up against NetSky's author, antivirus experts said.

Finnish security company F-Secure on Tuesday reported that Bagle.J contained a line of text that said: "Hey, NetSky...don't ruine our bussiness, wanna start a war?"

MyDoom.G, which was released on the same day, also contained a message to NetSky's author: "to NetSky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not"

In response, the latest NetSky variant (F), which was discovered on Wednesday morning, contained the message: "Skynet AntiVirus - Bagle - you are a looser!!!!".

Graham Cluley, a senior technology consultant at antivirus company Sophos, said he believes that the insults are flying, because the authors of Bagle and MyDoom are not happy that NetSky has received so much publicity. "The author of Bagle is rather upset that the NetSky guy is taking all the headlines and getting most of the attention," he said. "Like any community, the virus writers often are at war with each other--rather like politicians--but their war of words is taking place on users' desktops and users' e-mail systems."

Within a few hours on Wednesday morning, three more variants appeared: Bagle.K, Bagle.L and MyDoom.H. None, though, have yet to propagate in the wild, according to Vincent Gullotto, a vice president in the antivirus and vulnerability emergency response team at Network Associates. "But it's early in the morning," he said. "At this point, it is difficult to keep track of them."

While they are being used to exchange taunts, the new variants are also having an impact on corporate networks. Bagle.J is considered a medium risk, according to a representative from Network Associates, and it has infested a Fortune 500 company. Network Associates found 50 examples in the first 90 minutes of the outbreak of the virus on Tuesday night, the representative added.

MyDoom.G, meanwhile, is believed to represent a low-risk threat.

To get their messages across, the worm writers are constantly changing their code to ensure that they keep one step ahead of the antivirus companies.

"They are just tweaking them just enough--and getting a big kick out of seeing the antivirus companies reacting and posting information on their sites," Cluley said. "We are the ones that are all suffering. I would much rather they ranted at each other on message boards instead of in raw code."

This isn't the first time worm authors have included a message in their malware. For example, the MSBlast worm, which caused so much damage last summer, contained a message directed at Microsoft chairman Bill Gates: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"

Latest posts

Forum statistics

Latest member