Last year's war between the authors of Bagle and Netsky hobbled many an IT shop -- both sides pumping out multiple variants of their worms each week for a time. The last thing network administrators need now is for these malicious scribes to kiss and team up.
Unfortunately, that's exactly what seems to be happening, according to Russian antivirus firm Kaspersky Lab. What's worse is that Zafi's creator and others may be joining them.
IT professionals worry it's another sign malware writers will stop at nothing to cripple their networks and steal vital data.
"When it comes to the e-mail threats, we're well protected," said Adam Nunn, security and corporate compliance manager for Province Healthcare in Brentwood, Tenn. "E-mail security has gotten pretty good. It's the other attack vectors that worry me, like instant messaging."
He cited the Fatso and Kelvir worms as examples. Both have exploited MSN Messenger in the past week.
Tom Kroll, network systems and security administrator for Chicago-based law firm Hinshaw & Culbertson, doesn't worry about most e-mail worms because his shop has layered security and uses Lotus Notes, which isn't compatible with the likes of Bagle. But he's concerned by the increase in backdoor programs that can open networks to real damage down the road.
"There's always something new out there," he said. "IM malware is a fear. You can go to safe-looking Web sites and still get hit with something. Six months from now we can have IM locked down pretty well and something new will appear."
If worm writers are working together, both agreed anything's possible. Not good when you look at what's already out there.
"Put a machine up without antivirus or a firewall and it's loaded with malware after a couple of days," Kroll said. "You can still catch Melissa. All the old stuff is still out there."
Shane Coursen, senior technology consultant for Kaspersky Lab's U.S. branch, said the worm authors probably belong to an underground group. They may not know each other personally, but they're sharing the same data.
"If these guys are actually working together and sharing actual ideas, that's problematic," Coursen said. One grim possibility is that they'll put a software system in place allowing disparate worms created by different people to work together. "It could be a system where the parts change all the time, making it hard to defend against," he said.
The lab concluded a malicious alliance had formed after investigating the recent multi-variant Bagle outbreak:
Kaspersky first detected SpamTool.Win32.Small-B, a malicious program that harvests e-mail addresses from infected machines, on Feb. 15. E-mail addresses of antivirus companies are excluded from the list it compiles, Coursen noted. Further analysis revealed the mass mail of this program was a preliminary stage in the March 1 Bagle attack.
In researching the outbreak, analysts concluded the authors of Bagle, Zafi and Netsky and others are working closely together.
Blended security for blended threats
So what do you do when it seems like the bad guys are hell-bent on cracking your defenses? A blended defense is the best way to battle a blended threat.
"You have to stay continually informed of what's out there so you can take the best preventative measures," said Jim Morrison, an independent IT professional based in Ayer, Mass. "You have to make sure your firewalls and antivirus are always updated. You need security on every server and desktop."
It's also crucial to stay on top of the patch management, Nunn said. "That's the best you can do to protect your network against new attack vectors."