RealTime IT News

Fresh Bagle Attacks Under Way

Security firms have detected as many as 15 variants of the Bagle worm in the past 24 hours that are currently attacking end-user computers.

Officials from iDefense said the wave of attacks started late Monday evening in the United States, or at the start of the business day in the Asia-Pacific region, and are mainly variants of the Bagle worm, which is used to compromise a computer and download malicious software, or Trojan horses , to a user's computer.

Kaspersky Lab detected 15 variants of the Bagle worm, and iDefense experts confirmed the existence of three strains of the Bagle worm and two of the Glieder worm. According to the Kaspersky Lab research note released Tuesday, the Bagle variants use random e-mail text, file sizes and names to evade detection by anti-virus software.

Tracking the culprit or culprits behind this latest wave of e-mail viruses is difficult. The source code for the Bagle worm was released on the Internet in July 2004, sparking a wave of Bagle clones, which makes it one of the most persistent worms to date.

Ken Dunham, director of malicious code at security firm iDefense, said the latest wave of attacks shows a high degree of sophistication on the part of the malware authors who have set up more than 150 different Web sites to host files that are downloaded by infected computers.

The company has evidence that the malware authors were testing the Glieder worm before the attack to ensure they slipped past anti-virus software, Dunham continued, adding that he expects the attacks to have more success with home users than business employees. Companies, for the most part, have policies and educational programs in place to prevent users from opening attachments received in e-mails.

"Some people would think that it is a very large threat, simply because there are so many variants being sent out at once," he said. "It is overwhelming, and the likelihood of different variants collectively coming together to cause a significant attack is certainly there.

"On the other hand, it requires user interaction," he continued. "Most corporations are familiar with dealing with worm wave attacks like Bagle worms now and they can more easily shut down and block these kinds of things more rapidly upfront."

Andrew Lochart, director of product marketing at e-mail security vendor Postini, said the company's hosted e-mail security servers have detected five times the amount of Bagle traffic in the past 24 hours, from approximately 60,000 to 325,000 instances.

While he doesn't expect the Bagle variants to cause any critical problems, he said it's too early to make a definitive prediction.

"We may still be in the ramp-up period; it's sometimes hard to say with these things," Lochart said. "With some of these more virulent Trojans we've seen in the past, the ramp-up can actually last 48 hours before we actually see the peak and then the taper; it might be worth all of us keeping our eye on it and see if the numbers keep going up."

Anti-virus software vendor McAfee first started detecting the new Bagle and Glieder variants Monday evening and released security definition updates this morning, a little earlier than normal, to counter their effects on systems.

According to Craig Schmugar, a virus research manager with McAfee's Antivirus and Vulnerability Emergency Response Team (AVERT), virus authors have been successful to some extent gaining insight into how to avoid anti-virus measures by downloading the data files used by the security vendors themselves.

"The authors have the luxury of having the protections in their hands," he said. "They can download these publicly available definition files and test new variants against it to see if it's detected or not. And if it is, they can go and change their virus to try and evade that detection."

The Bagle worm is listed as the third-most prevalent virus on the Internet, according to e- Postini's top 10 viruses for the month of February.