Fresh Bagle Attacks Under Way

Security firms have detected as many as 15 variants of the Bagle worm
in the past 24 hours that are currently attacking end-user

Officials from iDefense said the wave of attacks started late Monday evening in the United States, or at the start of the business day in the Asia-Pacific region, and are mainly variants of the Bagle worm, which is used to compromise a computer and download malicious software, or Trojan horses , to a user’s computer.

Kaspersky Lab detected 15 variants of the Bagle worm,
and iDefense experts confirmed the existence of three strains of the
Bagle worm and two of the Glieder worm.

According to the Kaspersky Lab
research note released Tuesday, the Bagle variants use random e-mail text,
file sizes and names to evade detection by anti-virus software.

Tracking the culprit or culprits behind this latest wave of e-mail viruses
is difficult. The source code for the Bagle worm was released on the
Internet in July 2004, sparking a wave of Bagle clones, which makes it one of the most persistent worms to date.

Ken Dunham, director of malicious code at security firm iDefense, said the
latest wave of attacks shows a high degree of sophistication on the part of
the malware authors who have set up more than 150 different Web sites to
host files that are downloaded by infected computers.

The company has evidence that the malware authors were testing the Glieder worm before the attack to ensure they slipped past anti-virus software, Dunham continued, adding that he expects the attacks to have more success with home users than business employees. Companies, for the most part, have policies and educational programs in place to prevent users from opening attachments received in e-mails.

“Some people would think that it is a very large threat, simply because
there are so many variants being sent out at once,” he said. “It is
overwhelming, and the likelihood of different variants collectively coming
together to cause a significant attack is certainly there.

“On the other hand, it requires user interaction,” he continued. “Most
corporations are familiar with dealing with worm wave attacks like Bagle
worms now and they can more easily shut down and block these kinds of things
more rapidly upfront.”

Andrew Lochart, director of product marketing at e-mail security vendor
Postini, said the company’s hosted e-mail security servers have detected
five times the amount of Bagle traffic in the past 24 hours, from
approximately 60,000 to 325,000 instances.

While he doesn’t expect the
Bagle variants to cause any critical problems, he said it’s too early to
make a definitive prediction.

“We may still be in the ramp-up period; it’s sometimes hard to say with
these things,” Lochart said. “With some of these more virulent Trojans
we’ve seen in the past, the ramp-up can actually last 48 hours before we
actually see the peak and then the taper; it might be worth all of us
keeping our eye on it and see if the numbers keep going up.”

Anti-virus software vendor McAfee first started detecting the new Bagle and
Glieder variants Monday evening and released security definition updates this
morning, a little earlier than normal, to counter their effects on

According to Craig Schmugar, a virus research manager with McAfee’s
Antivirus and Vulnerability Emergency Response Team (AVERT), virus
authors have been successful to some extent gaining insight into how to
avoid anti-virus measures by downloading the data files used by the security
vendors themselves.

“The authors have the luxury of having the protections in their hands,” he
said. “They can download these publicly available definition files and test
new variants against it to see if it’s detected or not. And if it is, they
can go and change their virus to try and evade that detection.”

The Bagle worm is listed as the third-most prevalent virus on the Internet,
according to e- Postini’s top 10 viruses for the month of February.

News Around the Web