Worm Wave: Coordinated Or CoincidenceWorm Wave: Coordinated Or Coincidence

Security analysts are asking themselves whether the wave of malicious worms that began traversing the Internet on Friday and continued their blitz Tuesday was a coordinated attack or mischievous coincidence.

No question it has been a deluge of worms. Seven variations of Bagle and two forms of Netsky surfaced in the last five days. Was the flood just happenstance? Or was there something more devious behind the surge?

The answer, said security experts, is a bit of both, with some fighting over hacker turf thrown in for good measure.

"There's no evidence of any connection between the authors of these two worms," said Chris Belthoff, a senior security analyst at Sophos. "There's no master plan here."

Vincent Gullotto, VP at McAfee's Avert virus research team, agreed--to a point. "It's not some attempt to destroy the world, but I see it as clearly concerted," he said.

By that he means that the tidal wave of worms--yet another Bagle, dubbed Bagle.i was discovered Tuesday--is the result of a back and forth battle between competing hackers.

"There's some kind of competition going on between two individuals or two groups," he said, referring to the Bagle and Netsky worm writers. "There's a level of pride at stake, and they're looking to one-up each other."

Ken Dunham, director of malicious code research at iDefense, also said the Bagle-Netsky outbreak stemmed from both a coordinated effort on the part of one or more hackers and an ongoing fight over malware market share.

"The Bagle outbreak is no coincidence," he said. "They were all designed by the same person or person, and released on a rolling schedule. There are some very simple techniques hackers can use to remain undetected [by anti-virus software], and by putting out multiple variants nearly simultaneously, there's a good chance that while one may be detected, another will not." The majority of the newest round of Bagle variants, including Bagle.f, Bagle.g, Bagle.h, and Tuesday's Bagle.i, all tucked their payloads within password-protected ZIP files, a technique designed to circumvent anti-virus software.

This tactic--flooding the Internet with a slew of close copies in the hopes of overwhelming defenses and sneaking some payload-bearing messages through business and consumer firewalls and anti-virus software--is a trend Dunham thinks will only grow in use by attackers.

"Waves of attacks are the wave of the future," he said. "Expect more waves as these hackers follow in the footsteps of MiMail and other repetitive worms."

He agreed with Gullotto in calling the Bagle vs. Netsky question as more likely a battle over hacker bragging rights than a coordinated plan by multiple worm writers. "Netsky.d was a great example of a turf war. It was actively coded to remove recent worms, including Bagle.c, which appeared last Friday."

Netsky.d, which was first detected on Monday, remains the most dangerous and fastest-spreading of the nine worms to hit in the last five days. On Monday, Symantec upgraded its threat level to a "4" on its 1-through-5 scale, tying the threat ranking for such infamous viruses as MyDoom, SoBig.f, and Blaster. Symantec has never used a "5" rating on a worm or virus.

No matter whether coincidence or coordination, or a hybrid of the two, the result is an epidemic, with a capital "E," security firm Panda Software said in an E-mailed statement.

"The current wave of viruses has reached epidemic proportions worldwide," Panda said. 'They are all spreading at an alarming rate and causing and increasing number of incidents around the globe." Panda's data indicates that there are now millions of infected E-mail messages circulating.

Like iDefense's Dunham, Luis Corrons, head of the company's PandaLabs research arm, said hackers will note the success they've made in creating such an epidemic and run with the example. "Virus creators are aware of the effectiveness of launching waves of malicious code and the increased probability of infection, so we can expect to see more of these tactics in the future," Corrons said.

Sophos' Belthoff wouldn't go so far as to agree that it's an epidemic. "There's nothing especially innovative in these worms, not like MSBlast, which didn't need human intervention to spread." But the number of worm variations, with so many released in such a short period of time, is unusual, he agreed.

Dunham said a confluence of dates and events near the end of March and the opening of April mean that additional threats will surely surface.

"There are a couple of things coming up," said Dunham, "Spring break and April 1--we always see an increase in the end of March." April Fools, when people typically send hoax- and joke-style attachments to friends, are a golden opportunity for hackers to slip their code into the E-mail mix.

And as for spring break? "A lot of these [hackers] are in the college age group, and during spring break, they have a lot of time on their hands." That typically translates into more malware.

"They're surfing the cyber waves, they're having parties, they're looking at girls, but they're doing it all on the computer."