The authors of a new variant of the NetSky virus are claiming authorship of Sasser.D as well, and security vendors confirm the two share some coding similarities. That raises the possibility of Sasser becoming “serial malware” along the lines of NetSky, which is now at version 30.
One of the most prolific families of serial malware is the Agobot/Gaobot/Phatbot trojan, which is also exploiting the LSASS hole. These stealthy trojans are among the favored tools of hackers operating networks of compromised Windows machines for Spam delivery or DDoS attacks. An analysis by LURHQ notes that Phatbot possesses “the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system.”
Agobot/Gaobot/Phatbot is a primary example of the effectiveness of “open source malware,” with a recent version of Agobot being released under the GNU Public License. Tuesday the source code for Phatbot was released on mailing lists. “The pack includes not only the source code but also documentation and some html FAQs,” said the SANS Institute. “More variants are expected.” Which means additional features, according to LURHQ: “With time, the more effective bots become increasingly popular, leading to additional development from secondary developers who provide ‘mods’ to the bots.”