Living On Borrowed Time…

Sasser is currently hitting hundreds of thousands of Windows 2000 and XP PCs worldwide.

What I find amazing is that, with the exception of the recent Witty worm (which was rather nasty in several worrying respects), no “successful” worm has yet had a destructive payload. Of all the different groups who have written worms, or had access to the source to produce their own variants, none has decided that they are angry enough to do some serious damage. And I can’t figure out why.

Is there some sort of hidden honour-among-thieves agreement between the major virus writers not to destroy? Is it because they are too busy making money setting up botnets and selling them to spammers?

Whatever the reason is, the world is living on borrowed time. A worm as successful as Code Red, with a “spread for 12 hours then corrupt the hard disk” payload would cause uncountable economic damage.

5 thoughts on “Living On Borrowed Time…

  1. I guess worms without any destructive payload have a better chance to remain unnoticed. Additionally, keeping an infected system runnable allows longer “lifetime” of the whole worm population – if the system dies after a specified time after the infection, chances are it could not infect many others, so the worm could perhaps become extinct. However, I also think it’s only a matter of time until someone decides to make a destructive worm with a countdown-time of, let’s say, 3 days…

    Another issue is: what would worm writers gain from destroying ordinary users’ systems? Might be more interesting to open backdoors on infected systems, to use them in a DDOS attack against a single target (fill in MS, SCO or any other company someone might hate) or for spamming…

  2. I’ve heard it said that most of the big viruses like myDoom are actually comissioned by organised crime groups. So these people might actually be employed to write viruses. And as noted, there is no profit in destroying someone’s computer when you can use it as a zombie instead.

  3. Jens: there are lots of groups who would feel they gained from destroying users’ systems. For example, what if Hamas acquired virus-writing skills, and wrote a payload to nuke the hard disk immediately if the local language was set to Hebrew?

  4. Interesting (mathematical) question here: What is the optimum countdown time here?
    If it’s too short, the worm can’t spread very efficiently, many people will notice it quite fast and countermeasures are taken very quickly.
    OTOH, if the time is too long, the worm may spread very far. However it poses the risk that an effective antidote is ready before lot’s of damage is done.

  5. Maybe all of the people actually writing the viruses (as opposed to the people who hire them) actually use the internet for their own purposes too, and depend on it to an extent. They don’t mind crippling it with bandwidth-chewing worms, but (out of pure self-interest) they’ll stop short of something that might destroy it all together.

    Of course, there are a lot of fairly malicious payloads that might not cause a net-wide shutdown. What about those e-mail viruses a couple years ago that mailed private documents to random recipients?