It’s war as worm writers trade secret insults in code

4 Mar 2004

Who said there was honour among hackers? Security experts have discovered text buried in the code of MyDoom, Bagle and Netsky worms which shows the writers swapping insults with one another.

Specifically, war appears to have broken out between the writers of the MyDoom and Bagle worms and the author of Netsky. The latest variants of the first two worms have been found to contain messages to the person responsible for Netsky.

Members of the antivirus research team at the Finnish security provider F-Secure discovered the messages earlier this week. The Bagle.J worm contained the message: “Hey, NetSky … don’t ruin our business, wanna start a war?” while MyDoom.G carried the note: “to netsky’s creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app”. Netsky.F, found yesterday, responded with the pithy, if poorly spelt, text string: “Skynet AntiVirus – Bagle – you are a looser!!!”

According to F-Secure, this indicates an on-going competition among virus writers of the currently widespread malware: Bagle and NetSky. “This NetSky worm variant tries to remove Bagle worm infection if it finds it on an infected computer,” the company said on its website.

Another security software provider, Sophos, has confirmed this new war of the worms, which has seen a disturbingly high amount of variants flood the internet in a very short space of time – a rate not previously seen. “The two worm authors are goading each other with taunts and malicious code to release more powerful versions of their viruses,” said Graham Cluley, senior technology consultant for Sophos. “We believe both authors may have access to an underground network consisting of thousands of compromised computers owned by innocent users, which are being exploited to launch every new version of their worms.”

In the meantime, users have been advised to be suspicious of emails carrying attachments such as .ZIP files – even where they appear to come from friends or colleagues, as the likelihood is that the address may have been spoofed and does not actually indicate the real sender. Cluley recommended that computer users should ensure that their PCs are regularly updated with antivirus software as well as being protected by a firewall.

By Gordon Smith