Two weeks since the MyDoom backdoor became contested substrate. The conflict between Bagle, MyDoom, and Netsky has accelerated; specific variants are now appearing weekly. A short progress note.
The variants since 12 February
Specific named variants that have appeared since the previous post:
- Bagle.B on 17 February. Slightly modified payload; same backdoor port (8866).
- Netsky.B on 18 February. Mass-mailing engine more aggressive than .A. Removes MyDoom and Bagle when found.
- Netsky.C on 24 February. Faster mail-spreading; stronger removal of competitors.
- MyDoom.F in late February. Retains the backdoor; adds destructive payload (overwrites
.docand.xlsfiles on triggering hosts). - Bagle.C, .D, .E in rapid succession. The Bagle author appears to be iterating quickly.
The cadence is roughly one new variant per family per week. The authors are watching each other and responding.
What is in the binary insults
The most striking property of the current generation is that the authors are talking to each other through embedded text strings in the binaries. Reading through these strings is uncomfortable. The authors are operating under aliases; the conflict is, in some sense, a public conversation among criminals; the security community is the audience.
Specific patterns observed in public reporting:
- Netsky binaries contain text addressed to the MyDoom and Bagle authors, expressing contempt for their work.
- Bagle counter-strings address the Netsky author.
- MyDoom's insults are coarser; the author appears less invested in the conflict.
The text in the binaries reveals motivation. The authors are not anonymous criminals operating without identity; they have personas, they have audience, they have reputation among each other. The structural property is informative.
What this means
Three observations.
The economic stake is real enough to produce direct conflict. The compromised-host substrate has commercial value; the authors want exclusive control; they are willing to attack each other's infrastructure to get it. The behaviour is not symbolic; it is rational economic competition.
The authors have a tooling advantage over defenders. They can produce new variants weekly; the antivirus signatures lag by days. The cumulative window during which each new variant is detected only by behaviour rather than by signature is meaningful.
The cleanup problem keeps expanding. Each variant deposits its own artefacts on infected hosts; the cumulative cleanup work to produce a clean host has grown substantially since MyDoom appeared in late January.
Operational response
For mail relays:
The standard executable-attachment stripping I have written about since ILOVEYOU catches all of these. Backscatter from forged senders is now the dominant operational nuisance; outbound bounces from elsewhere arrive in volume. Not a catastrophe; an operational annoyance that requires tuning.
For network filtering:
TCP 8866 (Bagle backdoor) and TCP 3127 (MyDoom backdoor) blocked at perimeters. Signatures for the .B/.C/.D variants added to the Snort sensor.
For honeypot data:
The volume of inbound port-3127 connection attempts has grown substantially over the past two weeks. Each is presumably another worm or another scanner looking for MyDoom-compromised hosts.
What I expect over the next two weeks
Three predictions:
More variants from each family. 95% probability. The cadence is established; the authors are productive.
A merged or hybrid variant. 35% probability. If one author copies useful code from the others, a hybrid could appear. The technical barrier is bounded; the motivation is unclear.
A non-major-family worm exploiting the same substrate. 50% probability. Other authors will write code targeting the MyDoom backdoor; some will be successful enough to be observed.
For my own writing: more on the worm-wars trajectory as it continues. The structural lessons keep developing.
More in time.