Bagle Trojan Attack Strikes, Multiple Versions Overwhelm Defenses

The attack, which began about midnight EST, was launched in a large-scale spamming campaign, said virus researchers, and although the new threat doesn't spread on its own -- these are Trojans with Bagle characteristics, not true worms -- many security vendors have bumped up warnings to get out the word.

It's unclear how many variations are at loose. Some vendors, such as Symantec, had reported only two as of mid-morning Tuesday. Others, such as the U.K.-based Sophos, said there were at least four or five distinct versions. According to Reston, Va.-based iDefense, some sources are reporting as many as 15 copy-cats.

"Wave attacks are becoming increasingly common," said Ken Dunham, iDefense's director of malicious code research, in an e-mail to TechWeb. "Multiple minor variants are rapidly seeded into the wild to help the overall success of the attack."

The purpose of the attack seems to be to infect a large number of systems, which can later be turned into spam zombies, worm launch pads, or denial-of-service proxies.

"Compromised systems could cause all kinds of mischief," said Graham Cluley, a senior technology consultant with Sophos. "The attacker's intention is to use those computers for some other purpose, perhaps spamming. Once the Trojan's in place, it can update by downloading a new malicious component from any of a large number of Web sites."

So far, the sites -- which are hard-coded into the Trojan horse -- aren't hosting anything suspicious, added Cluley, but Sophos and others are monitoring the sites carefully. It's not unusual for an attack to infect systems, leave a backdoor open like this, and then only much later -- after the "heat" has died down -- download the zombie code.

These Trojans -- which in the confusion of the attack and the long-running problem with multiple Bagle versions, are named everything from Bagle.be to Beagle.bh to BagleDI-L -- also try to disable a large number of anti-virus or firewall products found on the target PC.

Other self-defense tactics used by the Trojans include changing the Windows HOST file to make it impossible for users to connect with security Web sites for virus updates, and renaming a security software files so that once the system is rebooted, anti-virus and/or firewall programs won't run.

"Any Trojan which turns off your anti-virus or firewall can open you up to further attack, even by very old viruses," added Cluley.

Most of the variations arrive as .exe attachments or within .zip compressed files, joined to terse e-mails with no subject and a message reading simply "Price" or "New price."

The quick spread of the threat is due to the large spamming run that launched it. "This was spammed out en mass," said Cluley. "Some companies have seen thousands of copies hit their gateways."

Most security firms were reporting a continued increase in the number of copies reaching users. "Just nine hours after it began, it was already seventh on our list of Trojan horses," said Cluley.

The facts that the initial spam seeding was much larger than usual and that so many variants rolled out so quickly speak to the deviousness of hackers, said iDefense's Dunham.

"Hackers have been testing their code prior to the attack to ensure that certain anti-virus products do not detect the new minor variants," he said. "They've have become increasingly sophisticated and organized in what they're doing [as they] attempt to steal sensitive information or gain control over computers."

The usual recommendations apply, security firms told users: update anti-virus defenses often.

Cluley went a step further. "It's time everyone woke up and stopped executable code at the gateway. There's no reason why users should be installing software from any e-mail message. That should all have to come through the IT department. Doing anything else [but blocking executables] is a huge security risk."