We all remember last year's cyber wars between the authors of Bagle, NetSky and Mydoom. That particular war is over. But was a fluke or merely the first war between virus writers going commercial?
Just last week, when I was at CeBit, I talked about new cyber wars. What do I mean? Cyber space is limited only by the number of machines connected to the Internet: some are protected well, but some are not – they are 'infectable'. What happens when cyber criminals infect most or all potentially vulnerable machines?
For example, take a computer with a spam proxy Trojan infection. Someone is making money from this infected machine. Then imagine the same machine with 10 proxy Trojans installed. Will the Internet connection be good enough to support 10 different spammer bots? Probably not. So what will spammers do to continue making money? Exactly : they will remove competitors.
And this is happening every day now. We've just detected a new Proxy Trojan – Trojan-Proxy.Win32.Small.bi, which removes a number of exe files with Trojan like names prior to installation.
We're seeing adware controllers do the same thing. More and more of the adware samples we receive in our Virus Lab begin by removing competitor adware before installation on the system.
Two different cyber battles already. Hacker/spammer groups are fighting each other. What next?
My prediction would be that after the smaller gangs fight it out among themselves, the winners will absorb the losers and we will see several well organized and large e-gangs emerge instead of the dozens of small groups we have today. Yet another step in the direction of organized cyber crime.
First time in my life I see how different AdWares fight each other. A new 21KB Win32 executable first removes data files and registry keys which belongs to EliteBar AdWare (according to KAV anti-AdWare databases) and then opens one of two Ad URLs. It seems that the AdWare market is going to be a hot one and different AdWare coders face a lot of competition from each other. Obviously they will fight. Remember Bagle-NetSky-Mydoom war?..
We detect this adware as TrojanClicker.Win32.Agent.af.
We detected a new variant of Zafi today, Zafi.c. The first two Zafi's spread widely, so we plan to keep a close eye on how things go.
It seems that Zafi.c was written in Hungary. The difference between Zafi.a and Zafi.b is that the author decided to join the cyberwar between the Mydoom, Bagle and Netsky authors. He included the following message: