Now that Netsky worm has thrown up its 28th variant, AB, at least one specialist on viruses and spam is questioning whether the worm has a more nefarious purpose than seemed at first sight.
Garry Sexton, who is the Asia-Pacific head of spam filter company Brightmail but formerly worked for anti-virus firm Symantec, suggests that Netsky’s collecting of email addresses may not be simply in the cause of further propagating itself. It may be harvesting the addresses for delivery to spammers.
The worm has no evident damaging payload, yet it has been painstakingly crafted through 28 variants, in order to defeat filters and keep spreading, Sexton says. This suggests it must be offering a real payback to someone, somewhere.
Local anti-virus consultant Nick FitzGerald, however, doubts Sexton’s theory. If
Netsky had code in it that collected addresses for spammers, he says, someone would have found out before now.
The 28th variant is not a record, FitzGerald says. “Melissa, the original mass-mailing worm, went through more variants than that.” But Melissa, he acknowledges, was rather easier to alter, since, as a macro virus, it had source-code embedded in it. Some mutations, indeed, are believed to have been created “naturally”, through bugs in Microsoft Word changing the macro code.
Netsky, however, provides no source code, so tailoring further variants is a much more difficult job, he says.
Unless, of course, all the variants are coming from the same original source.
FitzGerald acknowledges that there has been a shift in virus-writing from the purely mischievous and those showing “clever” tweaks the authors can brag about, to attempts to get a real return on investment. Since SoBig last year, a growing aim has been to create collections of compromised PCs and sell their addresses to people who want to further exploit them. This could include spammers, but they would use the 'zombie' machine as a spam source and not a destination.
The latest Netsky variant uses the unusual Control Panel (.cpl) file as one of the formats of its attachment, but this, FitzGerald says, is a resurgence of a tactic not widely used for some time. It is merely an attempt to sneak an executable file through filters which block attachments with better known executable extensions such as .exe, .com and .pif.