When Malware Attacks Malware

PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"

It begins

[inviolet]

esearchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware.

Thus begins the ecology of internet software. CPU cycles are simply too valuable (en masse) for one piece of malware to share with others.

Eventually, look for malware to get better and better and rooting out rival malware in order to take its place. As well, look for malware to be more cautious about consuming host resources, lest it get noticed by a user or antivirus package.

It's no different than Earthly biology. We think nothing of the colossal number of parasitic microorganisms currently hitching a ride on our metabolism. Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?). Symbiosis carries major advantages along the lines of "division of labor". How many years before real symbiosis is realized among internet-connected computers?

It would also evolve the antivirus landscape. The "OMG sterilize all machines!!!1!" mantra would change into a more relaxed problem: calculate the most efficient amount of CPU cycles to allocate among the competing tasks of:

• detect malware through behavior analysis (the current cutting edge)
• detect malware through recognition scanning (the tried and true way)
• tolerate malware as long as it doesn't eat up too much CPU

That's how our bodies do it, anyway.

It's more than that

[httptech]

I'm the author of the technical writeup detailing the attack on the rival spam group. But the only reason I was investigating the DDoS attacks launched by the Storm Worm/Peacomm/Nuwar is due to my own site being attacked [joestewart.org] after I detailed the pump-and-dump stock spam operation of the Rustock trojan. It is getting riskier to publish research on viruses and spam. I believe since spammers were able to take out Blue Security by DDoS attack, they are getting bolder in who they target. There's no downside for them.

Re:If they'd just fix each other...

[that this is not und]

It could also be said that it's the ISP's fault, for letting machines 'shout' all over the net on ports not ordinarily used by typical end users.

Now, I know that it disturbs people to talk like this, but the aforementioned 'dumb' Windows end user doesn't need more than a few ports open for connection to his/her machine.

So if draconian measures are being bandied about in this thread, maybe anything but Port 80 should be blocked at the ISP at 'the last mile' connection by default. Need anything more, 'by special request' is the way it goes. Why should security be deployed at the end-user level if it's to protect 'a whole network.' That begs any rogue operator to be able to reck havoc at the client level, i.e. the way things are now.

Go ahead and rant, all you folks running 'servers' on your brother's old 486 box in the basement.