Kazaa and eDonkey brace for attack from Netsky

The Netsky worm is due to launch a DDoS attack on file-sharing sites such as Kazaa and eDonkey on Wednesday morning

File-sharing Web sites Kazaa and eDonkey are bracing for a distributed denial-of-service (DDoS) attack starting on Wednesday that will be launched by a clutch of new variants of the Netsky worm.

Netsky.Q, which first appeared on 29 March, is designed to attack various Web sites that distribute either file-sharing clients or hacking and cracking tools. Kazaa and eDonkey are its best-known targets and the attack is scheduled to last for six days. However, they will get only a short break because Netsky.T, which was discovered on Tuesday, will launch a new DDoS attack from 14 April. This attack is scheduled to last for 10 days.

Mikko Hyppönen, director of antivirus research at F-Secure, said he expects the targets to fair badly because they are relatively small companies that will not have the necessary infrastructure to survive a large DDoS attack: "Netsky is widespread, so I wouldn't be surprised if the sites collapse under the load," he said.

Because these versions of Netsky are engineered to attack only Kazaa's and eDonkey's main Web sites, their actual file-sharing networks will not be affected, meaning users should be able to continue swapping files without disruption.

Marco Righetti, virus coordinator at Trend Labs, the research arm of antivirus firm Trend Micro, said that although he is worried that the Netsky.Q variant will cause the targeted sites some problems, Netsky.T is not spreading very fast and at the moment does not look like a serious issue.

Kevin Hogan, senior manager at Symantec Security Response, agrees with Righetti, saying that as of this morning, he had received two only reports of the Netsky.T variant from customers.

However, Netsky contains a "back door" that allows the worm to be automatically upgraded to a newer variant by the authors, so users who have not removed previous Netsky infections are likely to be automatically "upgraded" to the latest version of Netsky so that their machines can join in the attack.

Apart from launching DDoS attacks, recent Netsky variants have also stopped trying to remove the Bagle worm from infected machines, which is a behaviour exhibited by the previous 16 variants of the worm. This may indicate that the worm is now being authored by a different group of programmers. Messages hidden inside Netsky.Q claim that the authors do not have any "criminals inspirations" because they do not use the worm to relay spam. They also deny that they are "children" using virus toolkits and say they want to "prevent hacking, sharing of illegal stuff and similar illegal content."

But this moral high ground is dismissed by Trend Micro's Righetti, who said that the Netsky authors are doing more damage than the sites they are attacking: "Kazaa spreads music and the other sites spread passwords and key generators for cracking programs. The worm's authors are trying to do something they may think is morally right, but this is actually ten times worse," he said.

Kevin Hogan, senior manager at Symantec Security Response, said the messages contained in Netsky should be ignored because he suspects the source code for Netsky is circulating within the hacker underground so anyone could be creating the new variants: "It's hard to tell if it is the same group of people that wrote the previous variants. The guys that are writing these worms could be pulling the wool over all our eyes," he said.

Between 7 April and 12 April, Netsky.Q will attack cracks.st, cracks.am, emule-project.net, kazaa.com and edonkey2000.com.

Between 14 April and 23 April, Netsky.T will attack cracks.am, emule.de, kazaa.com, freemule.net and keygen.us.