A change is afoot within the world of worm writers. Experts say that, more than ever, the creation of malicious code is being driven by profit. Worm writers are becoming intent on using malware to steal sensitive data and sell it, rather than vandalizing a Web server to inflate their egos, for example.
"In the past, teenagers would write something just to say, 'Hey, isn't this cool'," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp. "Now, there are worms that go through product development. They are QA'd. New versions are released."
Worms have become vehicles for harvesting credit card and Social Security numbers, and for finding back doors into a company's sensitive data repositories.
Earlier this month, Mimail-I, for example, masqueraded as a bogus membership update from PayPal. It sought to steal credit card information from recipients. The worm writer, however, made a mistake, because online sites won't let people make a credit card purchase without the name and address associated with that card. Hence, Mimail-J followed and asked for such information.
Worms can do several things that can help their creators make money or at least complement their businesses -- including spam businesses -- like dropping spam-routing software on infected systems, which the Sobig worm did.
Another technique is stealing e-mail addresses or other sensitive information, such as credit card numbers and login IDs from infected machines. Bugbear-B, for example, contained a list of domains owned by banks. When it infected a machine on one of them, the worm attempted to turn on the system's modem, which could be used to send data Bugbear collected with its keystroke-logging program.
Worms such as Fizzer can also install HTTP servers on machines. These mini-Web servers can be used to serve pornography or other content.
Lastly, worm writers can also use their creations to target their enemies. For example, Mimail-C attempted to launch a denial-of-service attack on spam blacklist sites like mysupersales.com, spamhuas.org and spews.org.
The shift in focus, from trying to get recognition to trying to make money, complicates the process of combating worms. For starters, worm writers don't want their creations to be featured on CNN. They want them to spread quietly so they aren't detected and neutralized. To escape detection, variants of Sobig actually removed themselves from infected systems after delivering the spam-routing software.
The creators also want to keep a low profile. There hasn't been a Sobig variant since August, probably because Sobig-F made headlines because it clogged networks, racking up more than $1 billion in damage.
"Given the $250,000 bounty on his head, there is an incentive for him to drop off the scene forever," said David Perry, Trend Micro Inc.'s global director of education, referring to the reward Microsoft offered for the capture of the writer of Sobig-F. It's likely that the author or authors of the worms will lie low, he said.
"But if it was an ego-driven writer, then he would eventually show up again to brag about it," Perry said.