New Bagle Worm Is Spreading Its Source Code

Broadly distributing the source code is like a parking attendant throwing keys to would-be joyriders.
Two new versions of the Bagle worm are loose, and some versions of the worms carry Bagle's unencrypted source code. Attaching the source code might be a way of confusing law-enforcement officers; if caught, the hacker could claim that he or she was victimized by the source-code-toting worm like everyone else with the code on their PCs.

Regardless, broadly distributing the source code is like a parking attendant throwing keys to would-be joyriders. With the source code in their hands, less-sophisticated hackers can do some damage without having to do all the work.

The new versions, and, rolled out over the weekend, and both are similar to earlier variants.

Bagle first hit the Internet in January and for weeks became a weapon in a tit-for-tat hacking squabble between the Netsky worm maker and the Bagle author. Bagle is a mass-mailing worm that spreads through E-mail and shared folders, including those used by popular peer-to-peer file-sharing networks such as Kazaa.

"I'd bet the [Bagle] author is putting down a smoke screen," says Joe Telafici, the director of operations for McAfee Inc.'s antivirus research team. Many people would have the source code on their computers, making it harder to finger the culprit.

A similar motive is thought to be behind the release of the Netsky source code in March, although that didn't save the alleged author from arrest in Germany several weeks later.

Whatever the motive, the Bagle author has made the source code available to "plenty of script kiddies," Telafici says. Script kiddies is a derogatory term for neophyte hackers who don't create original work.

Other worms have distributed source code, including February's Doomjuice, which sent out the source for the MyDoom worm. Almost immediately, additional MyDoom variants hit the Net.

Telafici expects the same to happen with Bagle. "Pretty quickly, we'll see trivial modifications of that source," he says, "with changes like new backdoor ports or backdoor passwords." Detecting these kinds of changes is comparatively easy.

But "someone sharp will pick it up and do something not trivial," he says. Perhaps modifications that can make it difficult or impossible to catch without revising antivirus signatures, a time-intensive process.

Like most worms, Bagle hijacks E-mail addresses from infected machines to continue its spread and tries to terminate a host of antivirus and firewall software. It also opens a backdoor (port 1234 for both of the new Bagles, for instance) through which other code can be introduced in order to turn the PC into a spam proxy or a host for denial-of-service attacks.

But the worm has been quiet for more than two months. Was its creator on vacation?

Nope, Telafici says. Just lying low. "It's pretty normal for worm authors to take a hiatus in the wake of a major arrest. You'll typically see a quiet period for a couple of weeks or months." Telafici attributes the Bagle blackout to the high-profile arrest of a suspect in the Netsky affair.

For now, Bagle is back.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing