New Bagle Worm Variant Shuts Down Defenses

Of the trio of Bagle variants that have hit the Internet since Saturday -- that day's, Sunday's Bagle.ah. and Monday's -- the worst is the also the most recent, said Patrick Hinojosa, the chief technology officer for Panda Software.

"When we saw it appear yesterday, it just sort of took off," Hinojosa said. As of mid-day Tuesday, it was the second-most prevalent worm on Panda's real-time list. -- with the parade of Bagle variants, it's no surprise that not all vendors are in sync with the name; Panda, for instance, dubbed it Bagle.ah -- is very similar to earlier iterations. It's a mass mailing worm that spreads by hijacking addresses on infected machines or through shared folders; packages its payload as a file attachment, including .zip compressed files; and attempts to contact a slew of German Web sites, probably to alert the hacker of compromised systems so they can be used later as spam proxies or to conduct denial-of-service (DoS) attacks.

Hinojosa notes one important difference that he thinks is behind's success.

Sponsored post

"It comes in and takes out a whole list of anti-virus and firewall processes," he said. "This list is larger than earlier [lists], and is so big I can't even count them. Someone really took their time to build this."

The list -- 288 by Symantec's count -- is used by to terminate memory-resident and active anti-virus and firewall software in an attempt to slip through a computer's defenses. "It goes around [defenses] by deleting the processes," said Hinojosa. "That's not good."

If a PC is infected with and the anti-virus software is terminated, the machine is not only open to other attacks, but it won't automatically update itself to new threats; that lets even protected machines continue to spread the worm.

Bottom line, said Hinojosa, is that the tactic shrinks the response window of anti-virus firms. "Even our average response time of 2.2 hours [from detection to coming up with a new signature] is too big a window," he said. "This shrinking of the response window let [] slip into a larger than usual number of PCs."

Other analysts aren't so sure that's process termination list is the real problem. Joe Telafici, the director of operations for McAfee's virus response team, noted that the three most recent Bagles all share the same basic list.

But he agreed that is particularly nasty. "It's about twice as aggressive as other recent versions. We don't know exactly why, but I suspect it was initially spammed wide enough to catch a bigger audience."

Numbers from other security firms bear that out. MessageLabs, for instance, intercepted 15,000 copies of the worm in a 45-minute period Monday, evidence that it was spam seeded to a large number of users.

Since the source code for Bagle has been made public -- even included in some versions of the worm -- it's hard to tell if the latest outbreaks are from the original author(s) or new hackers just doing a bit of tweaking and fine-tuning.

McAfee's Telafici thinks the three newest Bagles were created by the same individual or group, but wouldn't hazard a guess as to whether it was the original Bagle author. Panda's Hinojosa went a bit farther on the limb. "What with some of the similarities in the internals, I think it could be some of the same guys [as originally]," he said.

The first Bagle worm appeared in January, and spawned more than two dozen variants in a matter of weeks. Then it disappeared off the radar. Some experts believe that the break was due to the author(s) lying low after the arrest of a suspect in the Netsky and Sasser worm breakouts. Hinojosa, however, has a more irreverent reason.

"It seems the virus writers' union requires a certain amount of time off during the summer."

Joking aside, Hinojosa and others recommended that users update their anti-virus signature files, then do a system scan. Tools are available online for detecting and cleaning PCs of the newest Bagle variations, including one that can be downloaded free of charge from the Symantec Web site.

This story courtesy of TechWeb.