'War of the Worms' Spurs Latest Cyber-Attack

ByABC News
August 17, 2005, 4:25 PM

Aug. 17, 2005 — -- The computers that crashed at ABC News and other media outlets may have been caught in the crossfire of a virtual "war of the worms" between rival criminal gangs waging a cyberspace turf war.

The turf? Control of computers like those at ABC News -- and maybe yours, too.

"It's a little bit like rabid dogs fighting over a choice piece of meat, and it's a little bit revolting," said Sam Curry, vice president of Computer Associates, the corporate cybersecurity company. "It's [an illustration of] no honor among thieves."

Companies including ABC, CNN, The Associated Press, The New York Times and Caterpillar all found their networks slowed to a virtual standstill on Tuesday.

Computer security experts blamed multiple variations of the "Zotob" computer worm for the cyberspace attack, which primarily affected systems running the Windows 2000 operating system. Curry said Windows 2003 and Windows XP also are vulnerable, particularly if not protected by the latest Microsoft security patches, firewalls and antivirus software.

But in this case, besides disabling computers, the many different versions of the worm are competing against each other on the affected machines, vying to seize decisive control and build computer armies sometimes called "botnets," according to Graham Cluley, senior technology consultant at the Sophos antivirus company.

"There is an enormous amount of money to be made," Cluley said. "There's an opportunity here. It's like a gold rush."

By controlling entire armies of unprotected PCs, criminals might be in a position to steal information like passwords and credit card numbers. They also might rent out the botnets to launch waves of spam, or use the large numbers of computers under their control to bombard corporate systems and demand extortion money. They also could use infected computers to launch new cyberspace attacks and increase their numbers further.

"Around 50 percent of all spam is actually sent from innocent people's computers without their knowledge," Cluley said. "This isn't just about innocent people in the back bedroom. This is about organized crime trying to make money."

In the latest attacks, Curry found evidence the worm-writers are thumbing their noses -- or worse -- at those trying to stop them. He found an apparent message to antivirus companies that some versions of Zotob may have left in the host files of infected computers: "MSG TO avs: the first av who detect this worm will be the first killed within the next 24hrs!!!"

"The new dimension is they're making overt threats against the antivirus companies," Curry said.

"If they can shut down the defenses for as many people as possible, then they increase the window in which they can get as many victims as possible."

While it's unclear whether botnet operators have threatened antivirus companies in the past, there is precedent for turf battles between rival gangs of computer criminals. In 2004, Cluley noted, creators of the Bagle and Netsky worms taunted each other in embedded messages, and Netsky used code designed to remove several versions of Bagle from infected computers.

Now, however, security experts say the cyber criminals are stepping up the pace in their virtual street war, creating more worms that will delete rival worms in order to hijack ever-greater armies of computer "robot PCs" likely to be used for criminal activity.

Mikko Hypponen, chief research officer for online security firm F-Secure in Helsinki, Finland, said 12 Internet worms similar to Zotob have been spotted online since Sunday. Like the worm that began to affect several media outlets on Tuesday, each of these pieces of malicious software -- sometimes called "malware" by computer security experts -- exploits the same "plug and play" flaw in Windows software that Microsoft warned about earlier this month.

"We've found five new PnP [plug and play] malware just today," Hypponen said. "The main target of these worms is to spread, removing competing bots."

On his online blog, Hypponen noted there are apparently four main "families" of worms actively attacking each other. One group of worms, the "IRCbot" family, attempts to knock off the Zotobs, which try to kill off the "Bozori" class of worms, which in turn are after another type of worm called "Rbot" or "SDbot."

"It's unknown to us who is behind all of this," says Hypponen, echoing other computer security experts. "But it seems we have several separate groups competing with each other to build the biggest botnets. It's a global pissing contest."

But while Hypponen notes these worms do not contain any dangerous "payloads" -- say, deleting files or installing software spies that steal important digital info -- the end goal is the same: To leave infected computers vulnerable to further exploitation.