From Spam Daily News
Bot herders issue patches to zombie computers
Posted on
April 18, 2006
Computers infected with variants of the Bagle worm began downloading a new tool used by hackers to send out spam.
New updates to the Bagle worm appeared on thousands of the infected PCs this Sunday night and began downloading a tool that spammers could use in order to send unwanted e-mails, according to Mikko Hypponen, chief research officer for F-Secure.
"Instead of starting from scratch with a new virus and hoping it will replicate, they simply upgrade all the machines that are currently infected with a new version of the virus," said Hypponen. "They've programmed the virus to contact the central website to see if there's an update available and if there is, they will download and run this new malicious code."
Hypponen explained in an interview with Datamation that if a computer is infected with a variant of the Bagle worm, the virus writers can push out other malicious pieces of code, which are generally used to send out spam, to those machines. The infected computers become a network of remotely controllable machines -- or botnets.
The gang of virus writers makes its money by selling access to those botnets to spammers who then use them to send out millions of pieces of unwanted bulk email.
"They are cooperating with spammers and, increasingly over the last 12 months, are operating with phishers," said Hypponen. "Most of the phishing emails you're seeing are coming through botnets built with programs like the ones with the Bagles."
A sign of the gang's sophistication is that they've designed the system so that each download of the revised code is different from the last. That is making it harder for anti-virus companies to combat it.
"If you actually go and visit this malicious website and download the program, and then later download it again, it would be a different file," Hypponen said. "Every user would get a different copy of the program. .. I downloaded several hundred copies of the file and each one was different."
SOURCE: esecurityplanet.com