'War of the Worms' Spurs Latest Cyber-Attack


Aug. 17, 2005 — -- The computers that crashed at ABC News and other media outlets may have been caught in the crossfire of a virtual "war of the worms" between rival criminal gangs waging a cyberspace turf war.

The turf? Control of computers like those at ABC News -- and maybe yours, too.

"It's a little bit like rabid dogs fighting over a choice piece of meat, and it's a little bit revolting," said Sam Curry, vice president of Computer Associates, the corporate cybersecurity company. "It's [an illustration of] no honor among thieves."

Companies including ABC, CNN, The Associated Press, The New York Times and Caterpillar all found their networks slowed to a virtual standstill on Tuesday.

Computer security experts blamed multiple variations of the "Zotob" computer worm for the cyberspace attack, which primarily affected systems running the Windows 2000 operating system. Curry said Windows 2003 and Windows XP also are vulnerable, particularly if not protected by the latest Microsoft security patches, firewalls and antivirus software.

But in this case, besides disabling computers, the many different versions of the worm are competing against each other on the affected machines, vying to seize decisive control and build computer armies sometimes called "botnets," according to Graham Cluley, senior technology consultant at the Sophos antivirus company.

"There is an enormous amount of money to be made," Cluley said. "There's an opportunity here. It's like a gold rush."

By controlling entire armies of unprotected PCs, criminals might be in a position to steal information like passwords and credit card numbers. They also might rent out the botnets to launch waves of spam, or use the large numbers of computers under their control to bombard corporate systems and demand extortion money. They also could use infected computers to launch new cyberspace attacks and increase their numbers further.

"Around 50 percent of all spam is actually sent from innocent people's computers without their knowledge," Cluley said. "This isn't just about innocent people in the back bedroom. This is about organized crime trying to make money."

In the latest attacks, Curry found evidence the worm-writers are thumbing their noses -- or worse -- at those trying to stop them. He found an apparent message to antivirus companies that some versions of Zotob may have left in the host files of infected computers: "MSG TO avs: the first av who detect this worm will be the first killed within the next 24hrs!!!"

"The new dimension is they're making overt threats against the antivirus companies," Curry said.

"If they can shut down the defenses for as many people as possible, then they increase the window in which they can get as many victims as possible."

While it's unclear whether botnet operators have threatened antivirus companies in the past, there is precedent for turf battles between rival gangs of computer criminals. In 2004, Cluley noted, creators of the Bagle and Netsky worms taunted each other in embedded messages, and Netsky used code designed to remove several versions of Bagle from infected computers.

Now, however, security experts say the cyber criminals are stepping up the pace in their virtual street war, creating more worms that will delete rival worms in order to hijack ever-greater armies of computer "robot PCs" likely to be used for criminal activity.

Mikko Hypponen, chief research officer for online security firm F-Secure in Helsinki, Finland, said 12 Internet worms similar to Zotob have been spotted online since Sunday. Like the worm that began to affect several media outlets on Tuesday, each of these pieces of malicious software -- sometimes called "malware" by computer security experts -- exploits the same "plug and play" flaw in Windows software that Microsoft warned about earlier this month.

"We've found five new PnP [plug and play] malware just today," Hypponen said. "The main target of these worms is to spread, removing competing bots."

On his online blog, Hypponen noted there are apparently four main "families" of worms actively attacking each other. One group of worms, the "IRCbot" family, attempts to knock off the Zotobs, which try to kill off the "Bozori" class of worms, which in turn are after another type of worm called "Rbot" or "SDbot."

"It's unknown to us who is behind all of this," says Hypponen, echoing other computer security experts. "But it seems we have several separate groups competing with each other to build the biggest botnets. It's a global pissing contest."

But while Hypponen notes these worms do not contain any dangerous "payloads" -- say, deleting files or installing software spies that steal important digital info -- the end goal is the same: To leave infected computers vulnerable to further exploitation.

What's more, the nature of that use has been changing.

"It's a shift from the old days of thuggery to this new notion of organized crime on the Internet," said Curry of Computer Associates.

In the old days, hackers wanted to control computer armies to launch "denial of service attacks" that jammed computer networks, or to vandalize a network internally.

"It was a lot like getting mugged on the street or a lot like getting beaten up," Curry said.

But these days, such spiteful motives seem to be giving way to greed.

"Destroying the Internet is not really useful if the Internet is the means to your financial goals," said Art Manion, an Internet security analyst at U.S. CERT, a center at Carnegie Mellon University that advises the U.S. government on Internet threats.

Botnet operators now are more likely to use their computer armies to mine personal information and distribute blizzards of spam, experts said.

David Kennedy, a senior risk analyst for Cybertrust, a consultant on Internet security for businesses, said he's even heard of more elaborate schemes. He cites examples including Web sites hiring botnets to jack up the number of user hits on their sites in order to trick advertisers into overpaying.

Criminals can be compensated for such ventures via what Manion called an "underground economy" of payments.

"The most effective way [to profit from botnets] is to rent out these systems to send spam," Kennedy said.

He added that another common scheme is to use the computer zombies to send out fraudulent e-mails seemingly from reputable companies, drawing users into "phishing" schemes designed to get them to provide passwords, PIN numbers, credit card numbers, account numbers and other personal information.

When committing such fraud, the botnets allow criminals to route their e-mails through multiple computers.

"What they're doing is trying to make it as difficult as possible for the good guys to track down who's getting the money on them [the botnets]," Kennedy said.

Kennedy believes the corporate targets hit by Zotob may have been exposed by not taking proper measures to prevent infection by laptop computers. He theorized that individuals may have used company laptops in an infected environment outside the network, and then plugged them back into the company networks behind a firewall.

Cybertrust advises its clients to take three steps to avoid such exposure, Kennedy said.

First, they should keep all laptops patched with security updates and insulated with up-to-date company or personal firewall programs.

Second, they should use a special router between the notebook and the pipeline providing Internet access (such devices don't work for wireless connections, he said).

Third, laptop users should power down completely before plugging back into the company network.

"If you power down altogether when your restart and log on to your network, the whole network can do a hygiene check," Kennedy said. "That hygiene check can be bypassed by hibernation" -- the energy-saving mode computers go into when not powered down.

Protecting laptops -- plus maintaining up-to-date patches, antivirus prevention and firewalls on company networks -- should go a long way in protecting against worms like Zotob.

"If they have a tight perimeter that we help them construct around their enterprise, then Zotob keeps bouncing off," he said.

Similar advice holds true for home computer users, experts said.

"The best way to deal with this, of course, is to stop the virus with antivirus software before it infects your PC," said Sophos' Cluley via e-mail. "But failing that, it can be easiest to download up-to-date antivirus software on a known clean computer, and then use that software to clean up the infected PC."

Kennedy claimed he notified Cybertrust's corporate clients of the Zotob risk on Sunday, and they were not affected when major media companies got hit on Tuesday. Kennedy and others said Zotob was far from being a devastating worm, in relation to past outbreaks such as Sasser and Blaster.

"If you've got it, you've got a problem," he said of Zotob. "But with some prevention, you can whistle right past the graveyard on it."

ABC News' Paul Eng contributed to this report.

ABC News Live

ABC News Live

24/7 coverage of breaking news and live events