Netsky copycat sparks search for source code

Netsky copycat sparks search for source code

Summary: Antivirus companies are trawling the Internet looking for evidence that the author of Netsky has published the worm's source code, after new variants were discovered

SHARE:
TOPICS: Security
0

Security experts suspect that the author of Netsky, which has been one of the most successful pieces of malware this year, is distributing the worm's source code among the black-hat community.

On Tuesday, the eleventh incarnation of the Netsky worm (Netsky.K) was found to contain a message from its author saying there would be no more variants. However, the note also indicated that the worm's source code would be published, which could allow any number of people to develop their own version of Netsky. Since then, Netsky.L and Netsky.M have been discovered and security researchers say they show signs of being written by a different author.

Mikko Hyppönen, director of antivirus research at F-Secure, told ZDNet UK that although the latest variants seem to have been written by a different person, he has not found any proof that the code is being distributed: "We haven't seen the source code in any of the typical places where we would expect to see it but we have been talking to our informants from the underground."

Graham Cluley, senior technology consultant at Sophos, also admitted that he could not confirm that the source code has been published on the Internet, but suspects it is being sent to small mailing lists: "We have no proof that the source code is out there but our suspicion is it may be available to just a small number of people because the Netsky.L and Netsky.M versions look like they have reused the source code to an extent."

Until Tuesday, all of the Netsky worm variants contained text that insulted the authors of the MyDoom and Bagle worms. But the last two variants of Netsky have not included this "childish banter".

"We don't think they are written by the same guy because a lot of the childish banter isn't there, the anti-Bagle attack isn't there and, most importantly perhaps, the reference to SkyNet, which has been included in all the other variants isn't in there either," said Cluley.

But Hyppönen said there is a possibility that the author is simply wants it to look like he is no longer creating new variants: "It looks like either this guy is releasing new versions and trying to make it look like he is not doing it or -- and this I think is more likely -- he has distributed the code to a small group and the variants are coming from there."

Even if the code is distributed, Sophos's Cluely doesn't think it will result in a deluge of Netsky worms: "This doesn't necessarily mean we will se a glut of new worms that will have the same impact as the original Netsky because there are lots of other virus source codes available on the Internet. But the Netsky.L and Netsky.M variants haven't spread as far as the earlier ones, possibly because the original author of Netsky had a better system for distributing the virus."

However, Hyppönen admits that if the source code was published, it would be "hot stuff" as far as the malware writing community was concerned: "I would have thought the source code from Netsky is hot stuff because the worm has been so successful," he said.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion