Kazaa and eDonkey brace for attack from Netsky

Kazaa and eDonkey brace for attack from Netsky

Summary: The Netsky worm is due to launch a DDoS attack on file-sharing sites such as Kazaa and eDonkey on Wednesday morning

SHARE:
TOPICS: Security
2

File-sharing Web sites Kazaa and eDonkey are bracing for a distributed denial-of-service (DDoS) attack starting on Wednesday that will be launched by a clutch of new variants of the Netsky worm.

Netsky.Q, which first appeared on 29 March, is designed to attack various Web sites that distribute either file-sharing clients or hacking and cracking tools. Kazaa and eDonkey are its best-known targets and the attack is scheduled to last for six days. However, they will get only a short break because Netsky.T, which was discovered on Tuesday, will launch a new DDoS attack from 14 April. This attack is scheduled to last for 10 days.

Mikko Hyppönen, director of antivirus research at F-Secure, said he expects the targets to fair badly because they are relatively small companies that will not have the necessary infrastructure to survive a large DDoS attack: "Netsky is widespread, so I wouldn't be surprised if the sites collapse under the load," he said.

Because these versions of Netsky are engineered to attack only Kazaa's and eDonkey's main Web sites, their actual file-sharing networks will not be affected, meaning users should be able to continue swapping files without disruption.

Marco Righetti, virus coordinator at Trend Labs, the research arm of antivirus firm Trend Micro, said that although he is worried that the Netsky.Q variant will cause the targeted sites some problems, Netsky.T is not spreading very fast and at the moment does not look like a serious issue.

Kevin Hogan, senior manager at Symantec Security Response, agrees with Righetti, saying that as of this morning, he had received two only reports of the Netsky.T variant from customers.

However, Netsky contains a "back door" that allows the worm to be automatically upgraded to a newer variant by the authors, so users who have not removed previous Netsky infections are likely to be automatically "upgraded" to the latest version of Netsky so that their machines can join in the attack.

Apart from launching DDoS attacks, recent Netsky variants have also stopped trying to remove the Bagle worm from infected machines, which is a behaviour exhibited by the previous 16 variants of the worm. This may indicate that the worm is now being authored by a different group of programmers. Messages hidden inside Netsky.Q claim that the authors do not have any "criminals inspirations" because they do not use the worm to relay spam. They also deny that they are "children" using virus toolkits and say they want to "prevent hacking, sharing of illegal stuff and similar illegal content."

But this moral high ground is dismissed by Trend Micro's Righetti, who said that the Netsky authors are doing more damage than the sites they are attacking: "Kazaa spreads music and the other sites spread passwords and key generators for cracking programs. The worm's authors are trying to do something they may think is morally right, but this is actually ten times worse," he said.

Kevin Hogan, senior manager at Symantec Security Response, said the messages contained in Netsky should be ignored because he suspects the source code for Netsky is circulating within the hacker underground so anyone could be creating the new variants: "It's hard to tell if it is the same group of people that wrote the previous variants. The guys that are writing these worms could be pulling the wool over all our eyes," he said.

Between 7 April and 12 April, Netsky.Q will attack cracks.st, cracks.am, emule-project.net, kazaa.com and edonkey2000.com.

Between 14 April and 23 April, Netsky.T will attack cracks.am, emule.de, kazaa.com, freemule.net and keygen.us.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Very usefull hint for those who tries ti do new things on Internet every day and one day due to these worms spoile their valuable pc and Laptop Data
    anonymous
  • dear sir/madami have been bombarded with varius viruses worms etc , it has caused me great disress,made worse by my disability, i have not opened any attachments & dont understand why ? if i had my way i would love to cause the same pain & distess to whomever is responsible, hanging is to lenient
    anonymous