Hacker underground erupts in virtual turf wars
A chain of warring virus attacks last week fits an emerging trend.
In the early days of computer attacks, when bright teens could bring down corporate systems, the point was often to trumpet a hacker's success. No longer.
In today's murky world of digital viruses, worms, and Trojan horses, the idea is to stay quiet and use hijacked computers to flood the Internet with spam, spread destructive viruses, or disgorge e-mail to choke corporate systems. Not only can networks of these compromised computers be leased or sold, experts say, they are becoming more valuable as the number of vulnerable computers slowly shrinks.
That's a major reason that turf wars are emerging among hackers. Besides infiltrating computer systems, the viruses are now also designed to kill any other competing viruses in those systems. These skirmishes have gone on - quietly - for several years. Last week, for the second time in a little over a year, they exploded into public view. A worm dubbed Zotob infected computers at major media outlets, industrial companies, and San Francisco International Airport.
Three days after a Finnish computer-security firm discovered Zotob on Aug. 14, seven variations were on the loose. Five of them were designed to delete the initial worms that may have burrowed through the vulnerable spot in Windows 2000 first.
"We've been seeing an increase in these kinds of battles, especially in the last three years," says Tom Liston, an Internet security consultant with Intelguardians Network Intelligence, in Washington. "We're likely to see more."
Often the battles involve "proof of concept" hacker software, says Curtis Franklin Jr., a senior technical editor with Secure Enterprise Magazine. The programs' writers use it to test new techniques, so the viruses carry no "payloads" that can harm a computer system.
But they can backfire. Indeed, last week's outbreak may be a case where the hackers "didn't expect this to be quite as virulent as it was," says Mr. Liston. "You had this thing taking off inside a network, and all these machines were pounding on each other trying to compromise each other."
It's not the first time. In the spring of 2004, it was dueling viruses Bagel, Netsky, and Mydoom, notes Mikko Hyppönen, director of antivirus research for F-Secure Corporation in Helsinki.
The trio went through several variations. Later versions included taunts to writers of the other viruses, adds Peter Reiher, a computer science professor at the University of Southern California at Los Angeles.
"Years ago, people just wanted access to a machine or to do something they could brag about," says Dr. Reiher. This led to one-upmanship among hackers. Indeed, he says, even last year's virus wars may have been more about bragging rights than control over infected machines. "But it's clear now that there is some of the more serious activity going on as well."
One of the noteworthy aspects of this latest outbreak was the speed with which Zotob appeared after Microsoft announced it had developed a fix for the vulnerability Zotob was written to exploit. While not the fastest piece of hacker software - or "malware" - to hit the streets, its six-day gestation period beat the current average. "In the last 24 months, the average has gone from 21 days to eight days, and it's continuing to trend downward," Mr. Franklin says.
One reason behind the increased speed: Malware writers appear to be using prewritten program "shells" into which they can stuff code tailored to the newest vulnerability, experts say. Meanwhile, corporate network managers sometimes have to negotiate with other parts of the corporation before they can speed up the process of plugging software gaps.
The biggest concern is over what security specialists call "zero-day exploits," when malware hits the Internet the same day that the fix for the vulnerability is announced.
Zotob's rise and fall highlights what many see as an increasing ethical dimension to keep a clean machine, Franklin adds. The viruses of yesteryear, "where something would get on your system and blow away your boot sector just doesn't happen that much anymore." Today, the various forms of malware "are all converging in what they do. It's either looking to use your system without your knowledge to do something against other systems, or it's trying to collect information on you and combine it with information from other people" for use in fraud or identify theft schemes.
An unprotected computer running Windows XP experiences an average "survival" time of 26 minutes on the Internet before hackers identify it as vulnerable, according to the SANS Institute, a cooperative Internet security organization.