Bagle Variants Use New Tricks To Sneak Past Defenses

Two versions that surfaced over the weekend package their payloads in password-protected .rar compressed files that businesses may not block at the gateway.
New variants of the Bagle worm have added devious tricks to circumvent defenses and persist on infected computers.

The two new versions, tagged as Bagle.n and Bagle.o, were spotted over the weekend. They use several new tactics to squeeze past anti-virus defenses, among them packaging their payloads in password-protected .rar compressed files.

Unlike earlier editions of Bagle, which tried to circumvent anti-virus software by placing the worm payload into an encrypted .zip archive, the new Bagles may also use a different archive format, .rar, a file type that consumers are unfamiliar with and that businesses may not block at the gateway.

Additionally, Bagle.n and Bagle.o include the password to the .rar and .zip files in the message not as text, but as an embedded graphic, a tactic often used to discourage automated E-mail account creation by spammers or by Web sites to prevent spam bots from harvesting E-mail addresses.

When Bagle first turned to encrypted .zip files to disguise its payloads, anti-virus vendors reacted by scanning the message for the in-text password. Shifting to an image of the password may make it tougher for anti-virus programs to unlock the .rar file and examine its contents before deciding whether it includes malicious code.

However, some security vendors said they've already made adjustments.

"The worm's author is sneakily trying to make it more difficult for anti-virus products to scan inside the password-protected .zip or .rar," Graham Cluley, senior technology consultant at Sophos, said in a statement. "However, Sophos' E-mail gateway products can still intercept and protect against these worms before they reach users' desktops."

The new Bagles may also be harder to eradicate because they randomly attach their code to 32-bit executables on the infected machine's hard drive--including, for instance, Microsoft Word and Internet Explorer--and then re-infect a supposedly cleaned system once the executable runs.

Bagle.n and Bagle.o share most of the traits of the now-known Bagle worm line, including opening a back-door port that may be used to drop additional code onto an infected machine, propagating via E-mail--with a wide variety of subject headings--and attempting to turn off most security software found on the system.

Anti-virus vendors have updated their definition files to detect and destroy the new variants, but the worms are serious enough to have garnered "medium" threat levels across the board.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing