Is Netsky code spreading online?

Security experts suspect that the author of Netsky, which has been one of the most successful pieces of malware this year, is distributing the worm's source code among the black-hat community.

On Tuesday, the eleventh incarnation of the Netsky worm (Netsky.K) was found to contain a message from its author saying there would be no more variants. However, the note also indicated that the worm's source code would be published, which could allow any number of people to develop their own version of Netsky. Since then, Netsky.L and Netsky.M have been discovered and security researchers say they show signs of being written by a different author.

Mikko Hyppönen, director of antivirus research at F-Secure, said although the latest variants seem to have been written by a different person, he has not found any proof that the code is being distributed: "We haven't seen the source code in any of the typical places where we would expect to see it but we have been talking to our informants from the underground."

Graham Cluley, senior technology consultant at Sophos, also admitted that he could not confirm that the source code has been published on the internet, but suspects it is being sent to small mailing lists: "We have no proof that the source code is out there but our suspicion is it may be available to just a small number of people because the Netsky.L and Netsky.M versions look like they have reused the source code to an extent."

Until Tuesday, all of the Netsky worm variants contained text that insulted the authors of the MyDoom and Bagle worms. But the last two variants of Netsky have not included this "childish banter".

"We don't think they are written by the same guy because a lot of the childish banter isn't there, the anti-Bagle attack isn't there and, most importantly perhaps, the reference to SkyNet, which has been included in all the other variants isn't in there either," said Cluley.

But Hyppönen said there is a possibility that the author is simply wants it to look like he is no longer creating new variants: "It looks like either this guy is releasing new versions and trying to make it look like he is not doing it or - and this I think is more likely - he has distributed the code to a small group and the variants are coming from there."

Even if the code is distributed, Cluley doesn't think it will result in a deluge of Netsky worms: "This doesn't necessarily mean we will se a glut of new worms that will have the same impact as the original Netsky because there are lots of other virus source codes available on the Internet. But the Netsky.L and Netsky.M variants haven't spread as far as the earlier ones, possibly because the original author of Netsky had a better system for distributing the virus."

However, Hyppönen admits that if the source code was published, it would be "hot stuff" as far as the malware writing community was concerned: "I would have thought the source code from Netsky is hot stuff because the worm has been so successful," he said.