Virus Wars Episode II

We all remember last year’s cyber wars between the authors of Bagle, NetSky and Mydoom. That particular war is over. But was a fluke or merely the first war between virus writers going commercial?

Just last week, when I was at CeBit, I talked about new cyber wars. What do I mean? Cyber space is limited only by the number of machines connected to the Internet: some are protected well, but some are not – they are ‘infectable’. What happens when cyber criminals infect most or all potentially vulnerable machines?

For example, take a computer with a spam proxy Trojan infection. Someone is making money from this infected machine. Then imagine the same machine with 10 proxy Trojans installed. Will the Internet connection be good enough to support 10 different spammer bots? Probably not. So what will spammers do to continue making money? Exactly : they will remove competitors.

And this is happening every day now. We’ve just detected a new Proxy Trojan – Trojan-Proxy.Win32.Small.bi, which removes a number of exe files with Trojan like names prior to installation.

We’re seeing adware controllers do the same thing. More and more of the adware samples we receive in our Virus Lab begin by removing competitor adware before installation on the system.

Two different cyber battles already. Hacker/spammer groups are fighting each other. What next?

My prediction would be that after the smaller gangs fight it out among themselves, the winners will absorb the losers and we will see several well organized and large e-gangs emerge instead of the dozens of small groups we have today. Yet another step in the direction of organized cyber crime.

Virus Wars Episode II

Your email address will not be published. Required fields are marked *



APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox