India/Pakistan Virus Writers Take War Online

What started out as a war of words between two rival hacker groups has escalated into the release of a worm.
What started out as a war of words between two rival hacker groups has escalated into the release of a worm.

Yaha-Q, a variant on the Yaha virus which was detected in June of 2002, was recently launched into the wild as the latest chapter in a battle between a group of Indian hackers and a rival group in Pakistan.

Several antivirus companies have classified the variant as a low-grade threat. But at least one virus tracker says he worries that releasing a virus as part of a turf war could set a bad precedent for future feuds, especially in times of political and military upheaval.

''The Indian Snakes gang claims that this is not a political spat, rather a battle to establish cybercrime supremacy,'' says Chris Wraight, a technology consultant at Sophos, Inc., an antivirus company based in Lynnfield, Mass. ''It's a shame that this dispute between rival cyber criminals is being fought on the PCs of innocent computer users... Usually groups like these might bicker in chat rooms or try to bring down each other's Web sites. If this was a quickly propagating virus, everyone could be brought into the fray.

''Based on world events, there's the possibility that we'll see more of this,'' adds Wraight.

The Indian Snakes released the Yaha-Q variant in retaliation against a group of Pakistani hackers who had defaced Web sites based in India. The worm is designed to launch a denial-of-service attack against five Pakistani Web sites. It also carries a number of payloads, as well as messages to the Pakistani hackers, a U.S.-based virus expert, and to a virus writer who had disparaged the group.

The Yaha-Q payloads include the ability to shut down about 20 different applications, including personal firewalls and antivirus software, according to Tony Magallanez, a system engineer with Finland-based F-Secure Corp. It propogates itself through email, picking up addresses from the infected systems' Outlook address book.

Sophos' Wraight says on Wednesdays the worm triggers a denial-of-service attack from each infected system. But Magallanez says the denial-of-service attacks haven't been causing much damage and the worm has been slow to spread.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.