With 20 variations of the Mydoom, Netsky and Bagle viruses circulating around the Internet, it's becoming clear that computer virus writers are engaged in some kind of can-you-top-this game. And it's Internet users who are suffering collateral damage.
E-mail inboxes around the world are teeming with cryptic notes that have simple messages like "Here is the file," or "I want a reply." When antivirus companies give names to malicious programs, they add letters to virus names as a way of indicating variants, with NetSky.A being the initial version, NetSky.B the second variation, NetSky.C the third, etc. On Wednesday, researchers were up to NetSky.F, Bagle.K, and Mydoom.H.
Internet gang warfare?
The now daily new e-mail assaults -- in fact, during one three-hour stretch on Wednesday, five new viruses were discovered -- appear to be the result of an unfriendly competition which has developed between rival virus writers.
The third variant of the Netsky virus included a message taunting authors of another worm, according to Network Associates. Buried inside the computer code was the text:
"We are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! SkyNet AV vs. Malware." Netsky disables many of its predecessors.
The "Internet gang warfare" theory gained credence Wednesday with the discovery of new Bagle and Mydoom viruses that directly taunt the author of Netsky.
A new version of Bagle includes the message: "Hey, NetSky ... don't ruine {sic} our bussiness, wanna start a war ?" according to Kaspersky Labs, a Russian-based antivirus firm.
The new version of Mydoom also has a message for Netsky's authors, Kaspersky says: "To netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network."
Meanwhile, Netsky's author answered back on Wednesday, writing inside the program's code: "Bagle - you are a looser!!!!"
The fight started, according to Symantec Corp.'s Alfred Huger, when the Netsky author engineered that virus to remove or disable Mydoom and Bagle.
"I think it's about the authors taking exception to fact that Netsky removed them -- Netsky has no other purpose in life but to remove viruses, it doesn't install a back door or anything else," Huger said.
Unprecedented volume of viruses
Whatever the axe that these programmers are grinding, their very public disagreement is causing endless headaches for Internet users. Unlike most variants, many of the updated versions of Netsky, Mydoom, and Bagle are spreading widely around the Internet. Antivirus firm MessageLabs said Wednesday morning ET that it had trapped 1.5 million copies of Netsky.D, headed for its customers, 700,000 in the prior 24 hours. At one point, 1 in every 19 e-mails headed for MessageLabs customers was infected with Netsky.D.
"We've never seen anything like this before," Huger said.
With all the variants running around, it's nearly impossible for consumers to know what they are dealing with. And since most of the viruses come with a randomized file names and included text, it is impossible to tell consumers how to spot the malicious programs with the naked eye.
"I think it's pretty close to the worst time ever ... oh, what's this?" said Vincent Gullotto, a researcher with Network Associates Inc. During his interview with MSNBC.com on Monday, he received word of yet another NetSky variant, NetSky.E.
In the past eight weeks, Network Associates has signaled its internal virus alarm bell, called a "Virus Outbreak Process," 11 times. Ringing the bell means an entire slate of emergency procedures are set in motion: Researchers have to return to their desks in the middle of the night, major customers receive warnings, the press is notified. Eleven alerts is more than Network Associates issued in 2002.
Vincent Weafer, a researcher for Symantec Corp., said his firm has six different viruses currently rated a medium or high risk. Generally, the company averages one or two a month.
"The only thing that compares with this time is last August, when we had Blaster, SoBig, and Welchia at about the same time," he said.
Netsky.D plays cryptic sound file
Of the 20 or so variants currently making the rounds, Netsky.D. was probably the most widespread on Wednesday. That virus, discovered on Monday, probably wins for most annoying feature. It instructs infected machines to play a cryptic audio file for three hours on Tuesday morning --
The new version of Bagle, Bagle.K, is also spreading, in part because of its convincing e-mail message. The text of a Bagle.K-infected e-mail indicates the recipient has a virus -- and it appears to come from the support staff of the recipient's company. The text can read: "Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions."
Recipients are then urged to click on a link to clean up their infected computer -- and if they do, they are duped into infecting themselves with Bagle.K.
Net users don't have to be infected to feel the pain of the virus deluge. Even if users are smart enough to avoid clicking on the attached files and becoming infected, all the stray e-mails being generated by the viruses is causing major headaches for users and corporations.
"This e-mail flow is a clogging mechanism," said Patrick Hinojosa, chief technology officer of Madrid-based antivirus firm Panda Software. Employees are constantly turning to their support staff looking for help, or advice when they receive a message suggesting they've been infected by a virus. "It's a traffic congestion problem ... and a denial of service attack on the help desk," he said.
Mydoom started it all
Weafer thinks the virus deluge is due in part to the overwhelming success of the Mydoom virus, which began its spread during the last week of January.
Mydoom, called , left hundreds of thousands of computers infected with back-door programs in its wake. Back-doors make PCs readily available to hackers and virus writers, who use them to jump start the launch of new viruses. Other variations have also left PCs vulnerable to this kind of attack, continually making the job of "seeding" a new virus easier.
"They are definitely leveraging the infected machines out there. There is a critical mass, ... a growing number of knowingly compromised machines they can use," Weafer said. Virus writers continue to build on each other's work, as well, making the creation of a new variant as simple as "plug and play, click and hack," Weafer said.
But perhaps most disturbing is that virus writers seem to be taking the cat-and-mouse game with antivirus firms to a new level, said Mikko Hypponen, virus researcher for Finland-based F-Secure Corp. Generally, new variants for successful worms take days or weeks to appear, making a natural ebb and flow to the antivirus game, giving researchers time to come up with fixes for each new worm. But the author of the Bagle worm, for example, seems ready with a new variation the moment antivirus firms post their definitions foiling the worm. There have been five new versions of Bagle since Friday night, Hypponen said.
"Whoever is behind it is sitting around waiting for us to respond," Hypponen said. "If the target is to exhaust the antivirus people, he's succeeding at it. My team is really tired. We are working through the night and the weekends."
The best way for consumers to protect themselves is to direct a healthy dose of skepticism at every unexpected e-mail, perhaps more than usual. Terse, awkward-sounding notes should be a tip-off. Suspicious messages should be handled with care, or deleted immediately. Frequently updated antivirus software can also help.