[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 20 17:05:17 GMT 2004

jayjwa wrote:
> On Thu, 19 Feb 2004, Jon R. Kibler wrote:
> > Why are they fundamentally the same? I don't think it is a template or
> > worm generator. I really think that a very few individuals working for
> > spammers, or even a spammer organization itself, is responsible. Thus,
> > the similarity. I mean these organizations are even running "Help Wanted"
> > ads for virus writers -- offering 6-figure salaries (USD) at offshore
> > locations.
> Can you post one of these ads?

I wish I could get my hands on one... I have just been told about them from
sources (in computer security) that I consider reliable. Two different sources
in Canada described very similar ads originating from opposite ends of the 
country. Also, I had a student with relatives still living in Russia that said
their family had told them of jobs advertised there for "computer security
experts familiar with weakness in Microsoft O/Ses and how to exploit them."
I will try to dig around a little this weekend and see if I can find anything
in any help wanted archives. (Anyone have access to international newspapers
in their local libraries?)

> > Let's face it... almost all of the recent worms pass the "duck test" for
> > spammer originated. What other conclusion can we draw?
> That there's an automated tool of some sort, like the VB worm generator of
> old, and the one that created the "Anna Kornikova" (sp?) virus. Such tools
> exist, and can be readily downloaded from the Internet, found by plugging
> in "virus creation" or "worm generator" into your favorite search engine.

I'm not saying such tools do not exist. They may even be being used to assist
in creating some of new worms. But I still contend that these new worms are
the product of spammers.

> I don't see enough solid evidence to link this to spammers. How are they
> profitting? Not by someone's computer having a virus. If we saw these
> infected machines being remote-controlled to send out ads for Viagra and
> such, then I'd be inclined to belive it; but that's not what's happening.

I disagree. On the "average" day, we detect about 2,000 new spam sources. 
Almost all are compromised systems. When a new worm is released, this number 
almost instantly doubles. That is, we start to receive SPAM from double the 
number of new sources. Over the next few days it may even triple, and then 
slowly decline as infected systems are isolated and cleaned up. During the 
peak rush after a new worm, if you add up the higher spam load, the number 
of systems sending viruses, and the number of idiots that still bounce malware
infected emails, we have seen our mail server load increase by as much as 10 
times normal load in the days following a new worm release.

Also, immediately after most new worms, we see our spam block success rate
take a small, but noticeable, dip. Why? We are not 100% sure of what is
occurring, but it almost looks like each new worm is accompanied by a new
version of spamware that exploits the compromised systems.

I admit that we don't have conclusive proof that spammers are behind these
new worms, but the preponderance of evidence sure points that way.

Jon K.
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list