The astonishing evolution of NETSKY
NETSKY tells us that worms now evolve rapidly. In a matter of weeks they can become more complex, more infectious and – no surprise - nastier.
There was a day a few weeks back when I received 17 emails. Three were requests for my help in recovering $12,000,000 why is it always $12,000,000? somehow overlooked in bank accounts in Nigeria/Abu Dhabi/The Netherlands. Two were automated mails from virus checkers warning me my computer was infected with a virus (it wasnt). The rest were copies of a computer worm, NETSKY.P.
Over the next few days I received another twenty or thirty infected e-mails. I wouldn't mind so much, but I already had a copy of NETSKY. The D variant had turned up in my mailbox a couple of weeks earlier. However, it got me thinking how might 'P' differ from 'D'? Why had the virus writer released so many versions? Bug fixes? New "features"? Indeed, did worms evolve or were the differences cosmetic, detail changes to evade virus scanners?
I decided to take a look at NETSKY's "evolution.
Written in C++, using Microsoft's Visual C++ development environment, and spreading itself as a mail attachment and via peer-to-peer networks and shared resources, NETSKY is a common pattern of Internet worm.
It is a worm and not, incidentally, a virus it's important to be clear what we're talking about here. Boot sector and file viruses of the DOS era were not programs per se, but code fragments that inserted themselves into other programs and used the infected program's resources to replicate. Modern Internet worms on the other hand are free-standing programs true executable images containing everything they need to read and write files, manipulate their environment and spread themselves to new hosts. They thus resemble biological parasites rather than viruses.
NETSKY first appeared on the 16th February this year posing as an email from an online auction (eBay, QXL, Amazon, MSN etc.) with a message such as:
You were successful in the auction.
Auction ID 123456
Product ID 123456
A detailed description about the product and the bill
are attached to this mail.
Please contact the seller immediately.
Naturally, someone who hasn't bid in an auction is concerned that a mistake has been made and they click on the attachment to see what it is they've unintentionally bought. Wham - they're infected.
This version created a copy of itself named SERVICES.EXE in the Windows directory and inserted an entry in the Windows Registry:
It could then run automatically whenever Windows is restarted. There was no payload as such, its only purpose being to spread itself as widely as possible.
To that end it searched files likely to contain lists of email addresses, and sent out infected mails to every address it could find. The return address was spoofed, using another address chosen at random from the list. (Hence the mails I received warning me I might be infected the sender had received an infected mail purporting to come from my address.)
The infected attachment often had two extensions, "prod_info_56780.doc.exe" being typical. The idea is that on many Windows systems standard file-name extensions are hidden, so the victim sees an innocuous extension ".doc" in this case, the give-away ".exe" extension being obligingly hidden by Windows itself and assumes it's safe to open the file. In fact one of the simplest actions to help protect against worms is to unhide file-name extensions double-click My Computer (Windows Explorer under Windows 9x), click Tools, Folder Options, select the View tab and uncheck the box "Hide extensions for known file types".
NETSKY also distributed itself via peer-to-peer networks, installing copies of itself in any directories with "share" in the name ('C:\Program Files\My Shared Folder\Kazaa' for example) under the usual honey-pot names such as 'strippoker.exe'.
Its job done, the worm remained resident in memory. The A variant only ran under Windows 2000 and XP.
Despite having no payload other than spreading itself, NETSKY.A is regarded as moderately destructive since it modifies the Windows Registry, occupies memory and uses up Internet bandwidth.
NETSKY.B appeared just two days later. The new version was substantially the same but manifested itself differently, appearing as a friendly mail such as:
i found this document about you
To defeat virus scanners the attachment was sometimes compressed in ZIP format. It now worked on all versions of Windows.
However the most interesting change was that NETSKY.B searched for Windows Registry entries for other worms, specifically MYDOOM and MIMAIL, and deleted them, triggering a flame war with MYDOOM's author(s). It is, it seems, a worm-eat-worm world out there.
The reason for this new feature is interesting MYDOOM and MIMAIL gather lists of email addresses for sale to spammers, a practice NETSKY's author evidently disapproves of.
By March 1st we had reached version D. This was substantially the same as B, but now came as a petite-compressed executable. Once installed it masqueraded as WINLOGON.EXE (several versions of Windows have a legitimate file called Winlogon.exe in the Windows\System folder; NETSKY has always located itself in the Windows folder).
New versions followed thick and fast, sometimes two appearing in a single day, as the war between the authors of NETSKY and MYDOOM hotted up and each MYDOOM modification to evade NETSKY required a corresponding new NETSKY variant.
The K version, which appeared on 8th March, contained a text message indicating it would be the last, but it wasn't.
The P variety that filled my inbox for several days first appeared on 21st March. By now taking on a wide range of forms or posing as bounced mail it installed itself as FVPROTECT.EXE and USERCONFIG9X.DLL. It had also improved its ability to infect target systems by exploiting a known weakness in Internet Explorer (in IE 5.01 and 5.5) that allows the automatic execution of email attachments while an email is read or previewed. The BAGLE, NACHI and DEADHAT worms had been added to its hate-list (BAGLE, a very dangerous worm, like MYDOOM installs a backdoor on infected PCs allowing their use as spam relays or distributed denial-of-service attackers).
Rather sneakily, several forms included the assurance:
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
(or any one of several other well-known antivirus software packages).
On the same theme, it would often pose as a security update, a trick adopted by several worms, with a covering message indicating the recipient's system was infected and the attached file (the worm itself) should be executed to install the latest protection.
New versions continued to come out throughout April, Y appearing by the 20th. It now called itself FirewallSvr.exe but the infection mechanism remained virtually unchanged. However it had added a payload. BAGLE-like, the abuse heaped upon the BAGLE author(s) notwithstanding, it had added a backdoor allowing remote control of an infected PC. The aim appeared to be to launch a DDoS attack against three (apparently innocuous) educational web-sites, in Germany, Switzerland and the US.
The backdoor itself was simple. The worm listened to TCP port 82 and saved all received data into a randomly named .EXE file which it then attempted to execute.
The last time I looked we had reached NETSKY.Z, almost indistinguishable from the Y variant except for using port 665 and giving itself the name Jammer2nd.exe. The inexplicable DDoS attack on the three educational websites remained.
There, then, is the history, so far, of an Internet worm, a story of steadily evolving complexity, nastiness and infectivity. There seems no end in sight.