Hacker underground erupts in virtual turf wars
A chain of warring virus attacks last week fits an emerging trend.
By Peter N. Spotts | Staff writer of The Christian Science Monitor
In the early days of computer attacks, when bright teens could
bring down corporate systems, the point was often to trumpet a hacker's
success. No longer.
In today's murky world of digital viruses, worms, and Trojan horses,
the idea is to stay quiet and use hijacked computers to flood the
Internet with spam, spread destructive viruses, or disgorge e-mail to
choke corporate systems. Not only can networks of these compromised
computers be leased or sold, experts say, they are becoming more
valuable as the number of vulnerable computers slowly shrinks.
That's a major reason that turf wars are emerging among hackers.
Besides infiltrating computer systems, the viruses are now also
designed to kill any other competing viruses in those systems. These
skirmishes have gone on -- quietly -- for several years. Last week, for
the second time in a little over a year, they exploded into public
view. A worm dubbed Zotob infected computers at major media outlets,
industrial companies, and San Francisco International Airport.
Three days after a Finnish computer-security firm discovered Zotob on
Aug. 14, seven variations were on the loose. Five of them were
designed to delete the initial worms that may have burrowed through
the vulnerable spot in Windows 2000 first.
"We've been seeing an increase in these kinds of battles, especially
in the last three years," says Tom Liston, an Internet security
consultant with Intelguardians Network Intelligence, in
Washington. "We're likely to see more."
Often the battles involve "proof of concept" hacker software, says
Curtis Franklin Jr., a senior technical editor with Secure Enterprise
Magazine. The programs' writers use it to test new techniques, so the
viruses carry no "payloads" that can harm a computer system.
But they can backfire. Indeed, last week's outbreak may be a case
where the hackers "didn't expect this to be quite as virulent as it
was," says Mr. Liston. "You had this thing taking off inside a
network, and all these machines were pounding on each other trying to
compromise each other."
It's not the first time. In the spring of 2004, it was dueling
viruses Bagel, Netsky, and Mydoom, notes Mikko Hyppnen, director of
antivirus research for F-Secure Corporation in Helsinki.
The trio went through several variations. Later versions included
taunts to writers of the other viruses, adds Peter Reiher, a computer
science professor at the University of Southern California at Los
"Years ago, people just wanted access to a machine or to do something
they could brag about," says Dr. Reiher. This led to one-upmanship
among hackers. Indeed, he says, even last year's virus wars may have
been more about bragging rights than control over infected machines.
But it's clear now that there is some of the more serious activity
going on as well."
One of the noteworthy aspects of this latest outbreak was the speed
with which Zotob appeared after Microsoft announced it had developed a
fix for the vulnerability Zotob was written to exploit. While not the
fastest piece of hacker software -- or "malware" -- to hit the streets,
its six-day gestation period beat the current average. "In the last 24
months, the average has gone from 21 days to eight days, and it's
continuing to trend downward," Mr. Franklin says.
One reason behind the increased speed: Malware writers appear to be
using prewritten program "shells" into which they can stuff code
tailored to the newest vulnerability, experts say. Meanwhile,
corporate network managers sometimes have to negotiate with other
parts of the corporation before they can speed up the process of
plugging software gaps.
The biggest concern is over what security specialists call "zero-day
exploits," when malware hits the Internet the same day that the fix
for the vulnerability is announced.
Zotob's rise and fall highlights what many see as an increasing
ethical dimension to keep a clean machine, Franklin adds. The viruses
of yesteryear, "where something would get on your system and blow away
your boot sector just doesn't happen that much anymore." Today, the
various forms of malware "are all converging in what they do. It's
either looking to use your system without your knowledge to do
something against other systems, or it's trying to collect information
on you and combine it with information from other people" for use in
fraud or identify theft schemes.
An unprotected computer running Windows XP experiences an average
"survival" time of 26 minutes on the Internet before hackers identify
it as vulnerable, according to the SANS Institute, a cooperative
Internet security organization.
www.csmonitor.com Copyright 2005 The Christian Science Monitor.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. To read the Monitor on line each day, go to
http://telecom-digest.org/td-extra/nytimes.html and the upper right
hand column of that page.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Christian Science Publishing Society.
For more information go to: