Newest Netsky Worms More Dangerous

Netsky.s, Netsky.t, and Netsky.u -- which first appeared on the Internet this past weekend, on Monday, and on Wednesday, respectively -- all share one characteristic that separates them from the previous 18 variations: they install a backdoor component that leaves open TCP port 6789.

Backdoors are dangerous because they allow the original hacker, or other attackers, to scan for the open port, and when found, plant arbitrary code on the compromised machine, including key loggers to steal passwords or new variations of a worm, or turn the system into a spam-spewing engine.

"There are tens of thousands of computers that have some sort of backdoor open, both inside corporate networks and on home machines," said Vincent Gullotto, the vice president of Network Associates' AVERT research team. Worst case, he added, is that the open ports can be used to insert worms which don't require any action on the part of the end-user, but exploit system software vulnerabilities to run code.

"That's when a worm can really take off," he added.

Both Gullotto and Patrick Hinijosa, the chief technology officer for Panda Software, confirmed that Netsky.s/t/u were the first in that line to drop a backdoor component onto infected systems.

The writers of these newest Netskys could be adding to the worm's arsenal, or an entirely different group could be using the Netsky source code to write new variations, both analysts said. (Netsky's source code was released by the original authors, and is available to hackers at a variety of Web sites.)

"This seems more typical of Bagle," said Gullotto, noting that the Bagle worms have all implanted a backdoor on infected machines. "This could be the Bagle guys grabbing the [Netsky] source code and writing something of their own."

Hinijosa agreed. "This is a pretty radical change in characteristic [from earlier Netskys]," he said. "It doesn't fit their pattern, and goes against their stated tactic of eliminating other viruses."

It's certainly possible, Hinijosa added, that another hacker (or hackers) saw the successful spreading of Netsky and piggybacked their own efforts onto the source code. "They look at Netsky and think, 'here's a proven vehicle, why re-invent the wheel,'" Hinijosa said.

However, a text message embedded within the code of Netsky.t claims that the new worm -- and its backdoor component -- was created by the original Skynet group of hackers.

According to analysis done by security firm Trend Micro, the text reads: "Now we have programmed our backdoor, it cannot be used for spam relaying, only for Skynet distribution."

Analysts warned that such text can't be taken at face value, and is ambiguous at best. "Distribution" could mean, for instance, the planting of additional worms.

In other Netsky news Thursday, it appeared that the first of its denial-of-service (DoS) attacks, launched by Netsky.q -- a worm which hit the Internet on March 28 -- was more fizzle than ferocious.

Netsky.q took its first DoS shots Thursday when it began hitting five Web sites, including peer-to-peer file sharing sites kazaa.com, e-mule-project.net, and edonkey2000.com.

Most weathered the DoS storm and were up and running as of mid-morning (PDT) Thursday.

Those sites, along with two dedicated to "cracks," illegal patches to break commercial software copy protection schemes, were targeted by Netsky.q, the first worm in that family that added DoS attacks to it bag of malicious tricks.

Although some of the sites were unavailable for a time -- late Wednesday, for instance, emule-project.net switched to a mirror site at emule-project.org -- the impact of Netsky.q seemed to be short-lived.

The only site on the Netsky.q list currently offline is cracks.am.

But these sites' problems aren't at an end. Netsky.q's DoS attack runs through Sunday April 11, and later Netsky variations also include DoS components, in some cases with slightly different lists and with different start and end dates. The most recent Netsky, dubbed Netsky.u, for example, will attempt a DoS attack on cracks.am, emule.de, kazaa.com, freemule.net, and keygen.us between April 14 and April 23.

Earlier this year, the MyDoom worm successfully knocked SCO Group's Web site off the air with a widespread DoS attack. Other websites that have been the target of similar assaults have included those belonging to Microsoft and the Recording Industry Association of America (RIAA), which has been aggressively hunting down high-volume music file sharers.