New Bagle Worm Slams, Then Slows
Bagle.af or Bagle.ab -- the worm is dubbed with different names by different anti-virus firms -- is a typical variant in the Bagle family, said Oliver Friedrichs, the senior manager for Symantec's security response team.
The mass-mailing worm, which includes its own SMTP engine to spread itself from infected PCs, gathered a head of steam late Thursday when it first hit the Internet, prompting most security vendors to bump up their threat levels.
"Bagle.ab appears to be spreading rapidly, outpacing the last several variants," Friedrichs said late Thursday. Symantec then raised its threat assessment from "2" to "3" in its five-point scale. McAfee did the same by tagging the worm as a "Medium" threat.
But by mid-day Friday, the newest Bagle's infection rate had plateaued and was heading down. "It's slowing down," said Friedrich. "There are a lot of factors that may have contributed to that, but it's impossible to tell for certain. One may be the increased use of heuristic-based anti-virus products."
Heuristic-based anti-virus engines use algorithms to spot potential worms and viruses by behavior, rather than rely simply on signatures that match a virus' characteristics. Most security vendors, including Symantec, have either deployed heuristic engines or are in the process of doing so.
"Although this Bagel never had the potential to rival Sasser, at first it looked like it was going to compare with MyDoom," said Friedrichs. "In the end, though, it's not going to come close."
Bagle.ab/af delivers its payload as an attachment -- the file can be a .zip compressed file, which many organizations let through the gateway -- tries to disrupt security software on the target PC, and also spreads via shared folders on the network.
But like most worms of late, the new Bagle doesn't seem to live only to spread. The worm opens a backdoor on the compromised machine -- TCP port 1080 -- and then notifies the hacker of its success by contacting 141 different Web sites in Germany. "It's essentially phoning home, informing the [worm's] originator that the machine is available. He's obviously harvesting a list of systems to build a large zombie network," said Friedrichs.
The Web sites that Bagle.ab/af contacts include the city of Aachen, the German edition of Lycos' Tripod hosting service, and Lufthansa, the German airline. The sites may have been compromised earlier so that the hacker could retrieve the information sent by infected PCs.
This variant sends data to more than twice as many sites as an earlier edition, proof that the author is serious about collecting systems, said Friedrichs. The most likely use for such a "bot" network is to send out spam, although they can also be used to launch wide-spread denial-of-service (DoS) attacks.
"All of these things continue to come together," said Friedrichs. "Hackers are building bot networks by blending automated tools and worms -- using worm tactics to get the tools out there -- to make a whole new caliber of threats."
Bagel, which first appeared in January, spewed more than two dozen variants in a matter of weeks as it battled the writer of the Netsky worm for bragging rights. For more than two months, however, no new Bagles appeared. Two weeks ago, however, several versions that included the worm's source code rolled onto the Net.
Then, experts thought that the hacker responsible for Bagle has coming up for air after the arrest of a suspect -- Sven Jaschan, a teenager from northwest Germany -- in the Netsky case sent him underground.
Friday, analysts noted that the newest variant is just more proof that Bagle is back.
"Since Jaschan's arrest, the German virus writing community has pretty much gone to ground, with only a few low-impact viruses emerging," said Graham Cluley, a senior technology consultant with Sophos, in a statement. "Bagle.af's bold appearance may signal that German virus writers have not been put off. With luck their new-found confidence will be their downfall."
For more on security threats, see CRN.
See CRN's Security News Digest.
This story courtesy of TechWeb.