Bagle Worm Seen As 'Blueprint' For Web Criminals

The Bagle worm debuted in mid-January 2004, and according to most anti-virus firms, has been spotted in 60 to 100 variations since then. It's also usually credited with starting the malware-for-profit movement among hackers, who prior to the ground-breaking worm, typically were motivated by notoriety.

Jason Gordon, an analyst with security research firm infectionvectors.com by night, a security consultant to Department of Defense clients by day, spent the last year watching each edition of Bagel, and recently completed the final third of a three-part report.

"In the year since its release," he wrote in that report, "Bagle has had a major impact on the Internet" primarily because it was, and remains, "a leader in the nefarious Web economy of spamming, phishing, and stealing passwords."

Although other worm families have spawned more variants than Bagle, the worm was, said Gordon, the first real confirmation that technically-astute, professional-grade developers had moved into writing malware.

"Bagle may have fooled us into initially thinking that it was all about getting attention, but it quickly became apparent that this was professional software, where the author was adding and disabling different functions," said Gordon. "It's really the first time a virus writer was paying attention to the details, and essentially following the CMMI process."

CMMI (Capability Maturity Model Integration) is a method devised by Carnegie Mellon's Software Engineering Institute for evaluating the maturity of software development.

Gordon pointed out that the writer (or writers, it's unknown if the worm is the work of one, or a group) has constantly and frequently changed the worm to make it more effective, more difficult to detect, and a more lucrative profit center.

"He uses the entire Internet as a beta testing group," said Gordon, who pointed out that some variants -- Bagle.ar in September 2004, for instance -- tested some new features, but not others, to, in essence, trial each new addition separately.

"The built-in expiration dates within the earliest Bagles," added Gordon, "were clearly used because the writer was testing new versions or additions." In fact, by Gordon's chronology, the first three months of Bagle, from January through April 2004, the author was "honing the base functionality, avoiding detection, and building the base of compromised boxes."

Other researchers have remarked on the same theme. Kaspersky Software, an anti-virus firm based in Moscow, released its own overview of Bagle and the network of bots its built, last week.

In early March of last year, for example, the Bagle creator "evidently decided to test anti-virus vendors' reaction speeds," said the Kaspersky report. On that day, 15 Bagle or Bagle-related pieces of code hit the Internet in one 24-hour span.

Fortunately for users and security professionals, the kind of coder (or coders) who wrote Bagle doesn't grow on trees. "I think there's a very small group of developers who are well-enough trained and have the dedication to do what the Bagle author's done," said Gordon.

Dedication is perhaps an understatement. Not only has the author (or authors) of Bagle created numerous variations of the worm, but he (or she, or they) are also behind the Mitglieder family of Trojans. Mitglieder (which means "members" in German) is written using the Bagle source code, but does not self-replicate.

In the latter half of 2004, said Gordon, the Bagle creator started focusing on creating Trojans which in some cases had very specific purposes, like stealing online banking passwords.

Combine the number of Bagle variants with Mitglieder Trojans, said Kaspersky's report, and "the Bagle author is producing new pieces of malware every two days on average."

That leads Gordon to suspect it's not just one person crafting Bagle, but a team. "He'd have to be sitting at his keyboard around the clock to put out that much code."

Bagel's goal, of course, is to make money. "The initial suspicions about Bagel appear to be true: individuals seeking to profit from malware crafted the worm," said Gordon. "In many ways the Bagle history is a blueprint for Web-based criminal success. The coder(s) crafted a well-conceived worm, and then exploited the base of victims to deliver additional 'products' which increase the profitability of the venture."

That's one reason why Bagel is important for researchers to understand, added Gordon: this idea that it's a blueprint for others to follow.

To some extent, that's already happened. The Mytob worm family, which some analysts connect to the MyDoom writers of 2004, seems to be following many of the same process steps and principles that Bagle laid out.

"The final lesson from Bagle," concluded Gordon, "is that profitable malware can be constructed, deployed, and managed as well as profitable security software.

"Many virus analyses focus on the technical magic of a worm and overlook the simple, methodical precision of an author who is motivated by revenue. These authors are less likely to make the mistakes that a careless writer who is seeking attention makes."

Gordon's full deconstruction of Bagle can be downloaded in its three parts in PDF format from the infectionvectors.com Web site.