March 1, 2004
A wave of worms that started Friday, gained speed over the weekend, and kept growing on Monday sent security vendors flooding customers with alerts and has business users scrambling to update their virus definitions.
Six new variations of the Bagle worm have been spotted--Bagle.c, Bagle.d, Bagle.e, and Bagle.f. Bagle.g, and Bagle.h--as well as two new versions of the Netsky worm, Netsky.d and Netsky.e. "This is just an unprecedented number of variations," said Vincent Gullotto, VP of McAfee's Avert team, the company's virus-research arm. "We've released more emergency alerts to our customers in the first eight weeks of this year than in all of 2003, and I don't see any signs of it slowing." Ken Dunham, director of malicious code research at iDefense, seconded the notion. "It's like a tsunami, with all the variants crashing down at once," he said. The eight new worms since Friday all deliver their payloads masked as file attachments to E-mail messages, although their subject headings, message text, and file attachment names and types differ. Gullotto said all include a backdoor component that opens up infected machines to further exploitation or attack, and spread by hijacking E-mail addresses from the infected system and using their own SMTP engine to spawn more copies. Some have been marked as more serious threats than others by various security firms. Symantec, for instance, tagged Bagle.c, Bagle.f, and Bagle.g with a "2" in its 1 through 5 scale, but marked Bagle.e as a "3." (Symantec uses a slightly different nomenclature for the worm, calling it Beagle rather than Bagel.) Network Associates, however, stuck its "Medium" label on Bagle.c and Netsky.d, but gave the others a ranking of only "Low." "The differences are all due to prevalence," Gullotto said in explaining the varying alert levels. Netsky.d, discovered Monday, seems to be among the fastest-spreading of the new wave of worms. According to Finnish security firm F-Secure, Netsky.d is accounting for more than 43% of all virus samples. Sophos, another security firm, noted Monday that Bagle.c is especially prevalent. Although they're not spreading as quickly, Bagle.f and Bagle.g are particularly cunning, according to Sophos. Their payloads are tucked within password-protected ZIP files, which means that most virus scanning software can't detect the worm inside the archived file. However, the E-mail message contains the password--another trick the worm writers are using to get users to open the attachment. Although opinions are mixed whether some of the variants of, for instance, Bagle, may have been created by the same hacker--even Gullotto said the indications are yet unclear--what is certain is that a battle over malware market share continues between hackers. "It's interesting to note that a variant of Netsky attempts to remove a recent variant of Bagle, Bagle.c. It looks like a turf war out there, with the bad guys fighting over the infected computers," Dunham said. Hackers are squabbling over the network of infected machines, added Gullotto, because they're all open to other exploits by virtue of the backdoors that worms now plant. "This is not a new trend; it's been highly used for the last two years, but it's simply not been as prevalent as it is now," he said. "Hackers are slowly but surely pushing out more compromised machines." And that's not good. "It doesn't bode well for the future," said Gullotto, noting that the larger the pool of compromised machines, the more likely hackers and spammers can turn those systems into proxies--or attack with more virulent tools. Security companies across the board reacted to the worm wave by rushing out updates to their virus definitions and urging users to update as soon as possible. The wave is dangerous, Gullotto concluded, because it stretches the resources of companies as they try to keep up with all the worms and implement new virus definitions. "It's getting a lot tougher keeping up with [new worms] at the corporate level," he said.
About the Author(s)
You May Also Like