Not that anybody has ever accused virus writers of being the epitome of maturity, but the war, if it can be called that, between the creators of NetSky and Bagle has gotten personal — in a school yard “I know you are but what am I” kind of way.
The two worms, up to variants K and F (Bagle and NetSky respectively), are taking their personal distaste for the other’s existence out into the public forum with thinly veiled threats and insults in the code.
The following repartee, courtesy of Command Central Inc., a Medina, Ohio-based antivirus company, is a stellar example of hacker etiquette.
Worm/Bagle.J: “Hey, NetSky, fuck off you bitch, don’t ruine (sic) our bussiness (sic), wanna start a war?”
Worm/Netsky.F: “Skynet AntiVirus – Bagle – you are a looser (sic) !!!!”
Worm/Netsky.C: “we are the skynet – you can’t hide yourself! – we kill malware … MyDoom.F is a thief of our idea! … SkyNet AV vs. Malware.”
All of this aside, there are serious corporate concerns with these two (three if MyDoom is included) worms.
“It is a bit more than graffiti,” said Steven Sundermeier, vice-president of products and services with Central Command. There are “a lot of casualties” with each new creation. “All the variants are capable of being successful.” He added that security professionals are scrambling a bit because they are being forced to make sure antivirus systems are updated constantly.
“This kind of level where they are just releasing their creations one after another, after another, is completely unique,” he said. He said the worm writers are apparently quite knowledgeable of how the antivirus industry works because subsequent releases differ just enough from their predecessors to bypass antivirus software (until an update is available). Symantec’s auto-update runs at least once every 24 hours, said Alfred Huger, senior director of engineering with Symantec Global Services in Calgary. But with releases coming almost as quickly, companies are advised to shore up their e-mail attachment policies.
Sundermeier said some of Central Command’s customers are placing a quarantine on all e-mail attachments “until this dust settles a little bit.” In Bagle J and K, the payload is stored as a password protected ZIP file. Huger said this could be a problem because many corporate e-mail policies do not automatically quarantine ZIP files since they are not perceived as being an executable.
For now it appears that NetSky is the least virulent of the two (bandwidth consumption notwithstanding) since it removes MyDoom and Bagle from infected machines and then propagates itself. The others propagate and leave a backdoor on infected machines, Huger said. Bagle leaves port 2745 open, Sundermeier added.