Is latest can of worms a cyber-crime turf war?

The recent surge in worms could be part of an underground battle to hijack PCs for use in net crimes, some security experts say - but others aren't convinced.

Signs of a turf war between cyber crooks lie in the behaviour of the worms that have emerged since Sunday, according to Mikko Hypponen, chief research officer at F-Secure, a Finnish security software company.

The dozen or so worms and variants all exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. But some versions undo the effects of earlier worms, suggesting the creators are battling to take over computers that others have already compromised, Hypponen said.

"We seem to have a botwar on our hands," he said. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines."

The first worm, dubbed Zotob, appeared on Sunday and appeared to have faded on Monday. However, several Zotob offshoots and another new worm, Bozori, were subsequently unleashed. New versions of pre-existing threats, CodBot, IRCBot, Rbot and Sdbot, also began wriggling their way into computers. Systems at ABC, CNN and The New York Times were hit.

The worms include "bot" code, or a program that lets the attacker control a compromised system remotely. Criminals have typically organised these hijacked systems in networks called "botnets". These botnets are rented out to relay spam and launch phishing scams, which attempt to steal sensitive personal data for fraud. Botnets have also been used to mount denial of service attacks against online businesses targeted by extortion schemes, experts have said.

The outbreak has a financial motive, according to Sophos, an antivirus company based in Abingdon, England. Graham Cluley, senior technology consultant at Sophos, said: "Organised criminal gangs are behind attacks like these, and their motive is to make money. Owning a large network of compromised computers is a valuable asset to these criminals."

A botnet of about 5,500 "zombies", or compromised computers, typically costs spammers, phishers or other crooks about $350 per week, security company Symantec has said.

The worm battle has likely only just begun, according to Alex Shipp, a senior antivirus technologist at MessageLabs, an email security company. He said it is likely there will be a period of intense activity in malicious software attacks as these groups vie for "pole position".

Battling worms are not new. Last year, the creators of Bagle, MyDoom and NetSky appeared to be in competition to gain control of large numbers of PCs for use in botnets.

But not everybody is convinced that the same kind of turf war is happening now. Stefana Ribaudo, a director in the threat management sector at Computer Associates, said the company had not seen any viruses or worms that try to detect or remove other worms.

Lysa Myers, a virus research engineer at security software maker McAfee, agreed there were no real signs of a struggle to control botnets. "This particular worm outbreak is so small that there really is no room for an offensive strategy," she said.

If there is anything going on, it is just an underground rivalry, said John Pironti, a principal security consultant at Unisys, an IT services company in Blue Bell, Penn. "Attackers like to boast about how many machines they have under their control," he said. "What you are potentially seeing is that it is a contest."

If the purpose was really to expand botnets, attackers would use more sophisticated methods that fly under the radar of antivirus companies, Pironti said.

Joris Evers writes for CNET News.com