Regardless, broadly distributing the source code is like a parking attendant throwing keys to would-be joyriders. With the source code in their hands, less-sophisticated hackers can do some damage without having to do all the work.
The new versions, Bagle.ad and Bagle.ae, rolled out over the weekend, and both are similar to earlier variants.
Bagle first hit the Internet in January and for weeks became a weapon in a tit-for-tat hacking squabble between the Netsky worm maker and the Bagle author. Bagle is a mass-mailing worm that spreads through E-mail and shared folders, including those used by popular peer-to-peer file-sharing networks such as Kazaa.
"I'd bet the [Bagle] author is putting down a smoke screen," says Joe Telafici, the director of operations for McAfee Inc.'s antivirus research team. Many people would have the source code on their computers, making it harder to finger the culprit.
A similar motive is thought to be behind the release of the Netsky source code in March, although that didn't save the alleged author from arrest in Germany several weeks later.
Whatever the motive, the Bagle author has made the source code available to "plenty of script kiddies," Telafici says. Script kiddies is a derogatory term for neophyte hackers who don't create original work.
Other worms have distributed source code, including February's Doomjuice, which sent out the source for the MyDoom worm. Almost immediately, additional MyDoom variants hit the Net.
Telafici expects the same to happen with Bagle. "Pretty quickly, we'll see trivial modifications of that source," he says, "with changes like new backdoor ports or backdoor passwords." Detecting these kinds of changes is comparatively easy.
But "someone sharp will pick it up and do something not trivial," he says. Perhaps modifications that can make it difficult or impossible to catch without revising antivirus signatures, a time-intensive process.
Like most worms, Bagle hijacks E-mail addresses from infected machines to continue its spread and tries to terminate a host of antivirus and firewall software. It also opens a backdoor (port 1234 for both of the new Bagles, for instance) through which other code can be introduced in order to turn the PC into a spam proxy or a host for denial-of-service attacks.
But the worm has been quiet for more than two months. Was its creator on vacation?
Nope, Telafici says. Just lying low. "It's pretty normal for worm authors to take a hiatus in the wake of a major arrest. You'll typically see a quiet period for a couple of weeks or months." Telafici attributes the Bagle blackout to the high-profile arrest of a suspect in the Netsky affair.
For now, Bagle is back.