BATTLE OF WORMS IN 5 ACTS

PRELUDE: THE WORST EMAIL WORM IN HISTORY

The fastest spreading worm ever emerged from nowhere on Monday, January 26th, 2004. Shortly after its release into the wild it accounted for around 30% of email traffic worldwide. Correct. Almost 30% of the whole email traffic in the world was solely caused by this very worm. The hero of the day was later called Mydoom.

Mydoom spread through email and – popular at the time – Kazaa Peer-To-Peer network. Most of the email subjects suggested transmission errors, mail delivery failures, tests or server reports. The lure was to open an attachment, which, when executed, sent out the worm through user’s address book and network shares.

Opening of the attachment led to two adverse activities. Firstly, any infected machine was used for a DDoS (Distributed Denial of Service) attack on 1st of February 2004 against the SCO Group, American software company. Secondly, a backdoor listening on the first available TCP port between 3127 and 3198 was installed. The latter enabled an adversary to turn an infected machine into a proxy, but also opened the doors for executing any additional malicious pieces of code.

Soon it was not only about the SCO Group. The second variant went bigger targeting Microsoft. Both to-be-victims offered $250 000 for any information leading to the arrest of the worm creator. There was FBI involved and a lot of publicity.  

Despite the overwhelming sense of urgency on the defense side, Mydoom – using over one million machines – managed to take down the SCO domain. It did not work with Microsoft though. They managed to prepare themselves well enough.

Both variants had their expiration date hardcoded. The first one retired on 12th of February. The second one on the 1st of March. Was it supposed to be one-time shot? With a specific purpose, written on demand? There was a clue indicating such a scenario. Take a look:

andy; I’m just doing my job, nothing personal, sorry,

This was the message embedded in the code of the worm. This ‘job’ caused billion dollars’ worth losses around the globe. At the time Mikko Hyppönen described Mydoom as ‘the worst email worm incident in history’. Well… actually the real fun was just about to start.

ACT 1: NETSKY CHASING DOWN MYDOOM

There were just about a bit more than two weeks of peaceful spreading of Mydoom. Almost uninterrupted. Full success leaving thousands of backdoors operating on infected machines. Until there was Monday, 16th of February 2004. Can-you-top-this game started-off.

Out of nowhere emerged a 17-year-old German malware enthusiast Sven Jaschar and his creation – NetSky. Another network-spreading worm, which managed to easily distribute itself worldwide. Another one luring its victims through social engineered emails. With just one difference. NetSky was literally chasing down Mydoom. Its sole purpose was to remove or disable it.

The real playground-style brawl started on Wednesday, 25th of February. This is what was found inside the code of NetSky.C:

We are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz–>]MyDoom.F is a thief of our idea! SkyNet AV vs. Malware.

Pretty compelling, right?

ACT 2: BAGLE JOINS THE PARTY – WANNA START A WAR?

The more the merrier. NetSky was actually hunting down not only the famous Mydoom. In fact, there was yet another target – Bagle. One more network-spreading worm, with its own SMTP engine, joyfully installing backdoors.

Different variants of Bagle started popping out already mid-February, competing with self-proclaimed saviour on a daily basis. It was Tuesday, 2nd of March when it really started to get juicy. Let’s give the voice to both runaways:

Hey, NetSky, fuck off you bitch, don’t ruine our bussiness, wanna start a war?

Bagle.J

To netsky’s creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app.

MyDoom.G

No doubt both sides enjoyed it. Wednesday, 3rd of March:

Skynet AntiVirus – Bagle – you are a looser!!!!

NetSky.F

Hey, NetSky, fu** off you bitch!

Bagle.J

And there was a Monday, 8th of March. Could it be the end? NetSky author was apparently signing off. Following message was embedded in the .K variant:

We want to destroy malware writers business, including Mydoom and Bagle… This is the last version of our antivirus. The source code is available soon.

At the time, March 2004, the situation was pretty obvious. Scattering of malware writers were disturbing the whole internet. Unpunished. Playing the cat-and-mouse game with all the antivirus world.

ACT 3: NEVER SEEN ANYTHING LIKE THAT BEFORE

Different variants of all three worms were popping out like crazy. More and more machines getting infected every day. Instant reactions for any move made by the greats of antivirus world. This is how Mikko Hyppönen, Chief Research Officer at F-Secure, described it:

Whoever is behind it is sitting around waiting for us to respond. If the target is to exhaust the antivirus people, he’s succeeding at it. My team is really tired. We are working through the night and the weekends.

Mydoom developed into at least 10 different variants. NetSky entertained itself with 31 incarnations. Bagle beat them all. Variants could go through alphabet several times.

Is there anything that could possibly go worse? Well… Sven Jaschar – the author of the NetSky – decided to enter the battlefield once again. No doubt he had a pretty impressive entrance. Firstly observed on 30th of April, Sasser worm was immensely successful in terms of its distribution. Using the LSASS buffer overflow vulnerability Sasser managed to infect millions of machines. The .E variant was the first one to directly attack and annihilate Mydoom and Bagle.

The Worm War started to faded out though. Neither NetSky nor Sasser managed to significantly disturb proliferation of Mydoom and Bagle. In fact, Sasser caused so much damage around the world – including grounding airlines and temporarily shutting down Sampo Bank’s offices – its author was tracked down and brought to court.  

Obviously, all characters of this story outreached their initial intentions. In fact, 15 years later they have still pretty decent record of persistence.

CLOSING: THEY’RE STILL OUT THERE

Mydoom took down Google site on 26th of July 2004. For most of the day the site was inaccessible. The code was reused in July 2009 for cyberattacks on South Korea and United States. As reported by Palo Alto Networks one percent of all emails containing malware sent during 2019 have been Mydoom emails.

Bagle worm evolved into the Bagle botnet. Mostly involved into proxy-to-relay email spam. As reported by SC Magazine UK: the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year’s Day.

Something more up to date? In December 2018, the Comodo Group indicated that the very first two variants of the worm, Bagle.A and Bagle.B, still arrive in people’s inboxes.

Mydoom is still considered to be the worst email worm incident in history. The Worm War fueled evolution of the Bagle so heavily, it’s difficult to count its variants anymore. The War itself became the very first immensely impactful playground at the expense of millions of unaware internet users across the world. The dust has settled. Worms, however, remain restless.

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used NetSky author signs off, War of the worms turns into war of words, German police arrest Sasser worm suspect from theregister.com, Virus writers trade insults as e-mail users suffer from nbcnews.com, The Stealthy War Between Virus Creators from abcnews.go.com, Virus writers exchange coded insults from zdnet.com.