Netsky variants spark search for code
Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. | ||||
Mikko Hypponen, director of antivirus research at F-Secure, said that although the latest variants seem to have been written by a different person, he has not found any proof that the code is being distributed. "We haven't seen the source code in any of the typical places where we would expect to see it, but we have been talking to our informants from the underground," Hypponen said.
Graham Cluley, senior technology consultant at Sophos, said he could not confirm that the source code has been published on the Internet but suspects it is being sent to small mailing lists.
"We have no proof that the source code is out there," Cluley said, "but our suspicion is it may be available to just a small number of people because the Netsky.L and Netsky.M versions look like they have reused the source code to an extent."
Taunts absent
Until Tuesday, all of the Netsky worm variants contained text that insulted the authors of the MyDoom and Bagle worms. But the last two variants of Netsky have not included the taunts.
"We don't think they are written by the same guy because a lot of the childish banter isn't there. The anti-Bagle attack isn't there and, most importantly perhaps, the reference to Skynet, which has been included in all the other variants, isn't in there either," Cluley said. "Skynet" is the name the author gives the program, though others call it Netsky.
But Hypponen said there is a possibility that the author simply wants it to look like he is no longer creating new variants: "It looks like either this guy is releasing new versions and trying to make it look like he is not doing it," he said. "Or--and this I think is more likely--he has distributed the code to a small group and the variants are coming from there."
Even if the code is distributed, Cluley said he doesn't believe it will result in a deluge of Netsky worms. "This doesn't necessarily mean we will see a glut of new worms that will have the same impact as the original Netsky because there are lots of other virus source codes available on the Internet. But the Netsky.L and Netsky.M variants haven't spread as far as the earlier ones, possibly because the original author of Netsky had a better system for distributing the virus."
However, Hypponen acknowledges that if the source code were published, it would be popular in the malicious software community. "The source code from Netsky is hot stuff because the worm has been so successful," he said.
Munir Kotadia of ZDNet UK reported from London.