Netsky no longer flying high

Article

Netsky no longer flying high

The Netsky-B worm took off quickly but has crashed back down to earth.

The worm came on strongly in Europe on Wednesday morning, but it never gained a lot of traction. Its progress certainly pales compared with Mydoom-A, which is the most infectious worm so far this year.

"It looks like it peaked yesterday," said Bruce Hughes, director of malicious code research at ICSA Labs, of Netsky-B. "It's nothing special, just a typical mass mailer."

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Netsky-B travels as an attachment to e-mail messages. It can also copy itself via network shares. The worm employs a variety of subject lines and message bodies. "It's has a little better social engineering than other worms," said Chris Belthoff, senior security analyst at Lynnfield, Mass.-based Sophos Inc. "But it's nothing terribly sophisticated."

Subjects include "hello," "read it immediately" and "something." The body of the message says "anything ok," "is that true?" or "here is the document."

The attached worm usually came through as an executable file with a double extension such as ".rtf.pif," which should have been suspicious to users.

Given the traction Netsky-B gained, however minor, one can safely say that at least a few people opened and executed the worm. It could spread further by copying itself to shared drives. The worm searches drives C through Z for folder names containing the words "Share" and "Sharing." The worm then copies itself to those folders using a variety of enticing names, such as "programming basics.doc.exe," "cool screensaver.scr" and "winxp_crack.exe."

Netsky-B may have gotten into companies that have abandoned the practice of blocking executable files at the gateway.

"We have a name for companies who think they have a business reason for allowing self-extracting executable files in," said Roger Thompson, vice president of product development at PestPatrol Inc., a Carlisle, Pa.-based developer of security tools. "We call them 'victims.'"

There are ways to safely send executable files that do not put companies at risk of getting worms, Thompson said. Double zipping the files is one such method.