Netsky variants spark search for code

Security experts suspect that the author of Netsky, one of the most successful pieces of malicious software this year, is distributing the worm's source code on the Internet.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

On Tuesday, the 11th incarnation of the Netsky worm was found to contain a message from its author saying there would be no more variants. However, the Netsky.K note also indicated that the worm's source code would be published, which could allow any number of people to develop their own version of Netsky. Since then, Netsky.L and Netsky.M have been discovered, and security researchers say they show signs of being written by a different author.

Mikko Hypponen, director of antivirus research at F-Secure, said that although the latest variants seem to have been written by a different person, he has not found any proof that the code is being distributed. "We haven't seen the source code in any of the typical places where we would expect to see it, but we have been talking to our informants from the underground," Hypponen said.

Graham Cluley, senior technology consultant at Sophos, said he could not confirm that the source code has been published on the Internet but suspects it is being sent to small mailing lists.

"We have no proof that the source code is out there," Cluley said, "but our suspicion is it may be available to just a small number of people because the Netsky.L and Netsky.M versions look like they have reused the source code to an extent."

Taunts absent
Until Tuesday, all of the Netsky worm variants contained text that insulted the authors of the MyDoom and Bagle worms. But the last two variants of Netsky have not included the taunts.

"We don't think they are written by the same guy because a lot of the childish banter isn't there. The anti-Bagle attack isn't there and, most importantly perhaps, the reference to Skynet, which has been included in all the other variants, isn't in there either," Cluley said. "Skynet" is the name the author gives the program, though others call it Netsky.

But Hypponen said there is a possibility that the author simply wants it to look like he is no longer creating new variants: "It looks like either this guy is releasing new versions and trying to make it look like he is not doing it," he said. "Or--and this I think is more likely--he has distributed the code to a small group and the variants are coming from there."

Even if the code is distributed, Cluley said he doesn't believe it will result in a deluge of Netsky worms. "This doesn't necessarily mean we will see a glut of new worms that will have the same impact as the original Netsky because there are lots of other virus source codes available on the Internet. But the Netsky.L and Netsky.M variants haven't spread as far as the earlier ones, possibly because the original author of Netsky had a better system for distributing the virus."

However, Hypponen acknowledges that if the source code were published, it would be popular in the malicious software community. "The source code from Netsky is hot stuff because the worm has been so successful," he said.

Munir Kotadia of ZDNet UK reported from London.