Multiple computer worms released as "botwar" rages

August 18, 2005

Security experts are calling it a "botwar". Multiple computer worms, with payloads that turn infected computers into sources of spam, viruses and security attacks, are being released by at least two separate groups. Now newer versions of one group's worm include the ability to disable earlier versions of the other group's infection. "The W32/Zotob-F worms (also known as Bozori) attempts to remove infections by earlier versions of the Zotob worm and other malware, so it can take control of the compromised computer for itself", a Sophos news item stated. F-secure's Weblog confirmed this and added "It seems there are two groups that are fighting: IRCBot and Bozori vs Zotobs and the other Bots."

Gregg Keizer of TechWeb News draws parallels between the current events and a prior example of criminal activity; "The most notable back-and-forth between [virus and worm writers] was in early 2004, when the writers of the Bagle and Netsky worm families engaged in a long-running tit-for-tat exchange where each tried to delete the other's code. The battle led to a veritable flood of malicious code that [lasted] weeks." While some see a repeat of those events, other experts indicate that the current situation is "business as normal" for the criminals that create these "bot networks".

A statement from Kaspersky Lab stated that confusion over the naming of the worms has combined with overzealous reporting by infected news organisations to create confusion as to the magnitude of the attack. At this stage they are not calling it an epidemic.

All of these worms currently exploit the MS05-039 Plug and Play vulnerability, for which a patch has already been released.