Computer Crime Research Center


Hacker war

Date: August 19, 2005
Source: BBC News

A war has broken out between hackers behind viruses that exploit a recently discovered loophole in Windows 2000.

The viruses written by the competing hacker groups are fighting it out for supremacy on infected machines.

Some of the variants seek out and delete rival viruses they find on machines they manage to penetrate.

The slew of malicious programs exploiting the loophole caused trouble for many organisations early this week as the bugs began infecting computers.

War zone

A patch for the vulnerability being exploited by the 11 viruses turned out by the rival groups was released on 9 August and code to exploit it appeared only a few days later. The weakness occurs in the Plug-and-Play component of Windows 2000.

The loophole also does affects PCs running Windows XP unless users have installed a security update. The flaw can also be fixed by a patch for Windows 2000.

Although Windows 2000 is the most prevalent version of the operating system used in large organisations, Microsoft said the number of firms infected was relatively low.

The software giant has released a free tool to automatically remove the Zotob worm and its variants from infected PCs.

Now newer versions of the viruses have been created that try to destroy bugs from rival groups, reported security firms Clearswift and F-Secure.

"We seem to have a botwar on our hands," said Mikko Hypponen, chief research officer at F-Secure.

"There appears to be three different virus-writing gangs turning out new worms at an alarming rate," said Mr Hypponen, "as if they were competing to build the biggest network of infected machines."

Variants of the Bozori and IRCbot viruses that exploit the Windows 2000 loophole will delete some of the Zotob, RDbot and SDbot virus programs if they find them on machines they manage to compromise.

Microsoft urged users to turn on auto-updates and make sure anti-virus and other security programs were up to date.

"Our analysis has revealed that the reported worms are variants of the existing worm called Zotob," said the company in a statement.

"Microsoft is working closely with law enforcement to help identify and bring to justice those responsible for this malicious activity."

Separate virus writing groups have used the exploit code to create malicious programs. Earlier this week organisations including the Financial Times, heavy plant maker Caterpillar, ABC News and CNN reported that they had been hit by the viruses.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo