New Bagle Worm Is Spreading Its Source Code - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New Bagle Worm Is Spreading Its Source Code

Broadly distributing the source code is like a parking attendant throwing keys to would-be joyriders.

Two new versions of the Bagle worm are loose, and some versions of the worms carry Bagle's unencrypted source code. Attaching the source code might be a way of confusing law-enforcement officers; if caught, the hacker could claim that he or she was victimized by the source-code-toting worm like everyone else with the code on their PCs.

Regardless, broadly distributing the source code is like a parking attendant throwing keys to would-be joyriders. With the source code in their hands, less-sophisticated hackers can do some damage without having to do all the work.

The new versions, and, rolled out over the weekend, and both are similar to earlier variants.

Bagle first hit the Internet in January and for weeks became a weapon in a tit-for-tat hacking squabble between the Netsky worm maker and the Bagle author. Bagle is a mass-mailing worm that spreads through E-mail and shared folders, including those used by popular peer-to-peer file-sharing networks such as Kazaa.

"I'd bet the [Bagle] author is putting down a smoke screen," says Joe Telafici, the director of operations for McAfee Inc.'s antivirus research team. Many people would have the source code on their computers, making it harder to finger the culprit.

A similar motive is thought to be behind the release of the Netsky source code in March, although that didn't save the alleged author from arrest in Germany several weeks later.

Whatever the motive, the Bagle author has made the source code available to "plenty of script kiddies," Telafici says. Script kiddies is a derogatory term for neophyte hackers who don't create original work.

Other worms have distributed source code, including February's Doomjuice, which sent out the source for the MyDoom worm. Almost immediately, additional MyDoom variants hit the Net.

Telafici expects the same to happen with Bagle. "Pretty quickly, we'll see trivial modifications of that source," he says, "with changes like new backdoor ports or backdoor passwords." Detecting these kinds of changes is comparatively easy.

But "someone sharp will pick it up and do something not trivial," he says. Perhaps modifications that can make it difficult or impossible to catch without revising antivirus signatures, a time-intensive process.

Like most worms, Bagle hijacks E-mail addresses from infected machines to continue its spread and tries to terminate a host of antivirus and firewall software. It also opens a backdoor (port 1234 for both of the new Bagles, for instance) through which other code can be introduced in order to turn the PC into a spam proxy or a host for denial-of-service attacks.

But the worm has been quiet for more than two months. Was its creator on vacation?

Nope, Telafici says. Just lying low. "It's pretty normal for worm authors to take a hiatus in the wake of a major arrest. You'll typically see a quiet period for a couple of weeks or months." Telafici attributes the Bagle blackout to the high-profile arrest of a suspect in the Netsky affair.

For now, Bagle is back.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll