Crafty Bagle viruses keep spreading
Published: 07 Mar 2005
Late at night on February 28, 2005, two versions of the Bagle virus were released onto the Internet. That event, in itself, wasn't too remarkable, given that the source code for the Bagle virus is widely available on the Internet today, and we've seen about 50 variations of Bagle since its inception in early 2004. However, the two new variations of Bagle were responsible for spreading four new versions of a Trojan horse. Oddly, these Trojans don't include mechanisms to spread beyond the infected computers, which seems counter-intuitive (at first).
Defies viral definition, perhaps
My own definition of a computer virus includes the mention that the malicious code can't spread by itself. To spread, someone has to email the infected code or otherwise share those files with others. Over the last five years, we've grown used to automatic mailers combined within the infected email attachment viruses such as 'I Love You'. The automatic mailers are little SMTP engines that send out perfect copies of themselves -- viral-infected email sent to addresses harvested from infected computers. And we've also grown used to the computer worm, malicious code that by definition exists to move from computer to computer, often scanning the Internet for vulnerable systems to infect. So, how bad is a viral email message with a Trojan horse that can't spread? Plenty bad.
Say, for example, that one of these new Bagle viruses hits company A. The initial virus (the one with the automatic remailer) need hit only one computer inside that company. The infected computer would send non-reproducing copies of the Trojan horse to every computer within the company's network, then stop. In what's called a wave attack, this event would not rise to the level of a full-blown virus panic, as we've seen before, with multiple copies of virus-produced email surging through the system and clogging email servers for hours on end. Rather, this virus would infect many machines quickly, then cease to be a nuisance. This version of Bagle, like previous versions, attempts to turn off antivirus and firewall security, so once it is implanted on as many desktops as it can infect, these four Bagle-related Trojans attempt to download some mystery program onto the infected computer from a long list of possible hosts. The hosts themselves are supplied by yet another compromised or source computer. It's the layering of this latest Bagle attack that makes it interesting.
Shades of Sobig.f
We've seen this two-step process before. In August 2003, the Sobig.f virus spread rapidly to as many computers as it could over a five-day period, then attempted to contact 1 of 20 compromised computers worldwide at a hard-coded date and hour in order to download additional code. Fortunately, with just hours to spare, several antivirus companies cracked the encrypted code within Sobig.f, revealing the compromised source computers' IP addresses. Worldwide law enforcement was then able shut down all but two or three computers before the appointed download hour. What we saw downloaded from the remaining, active computers was a link to a porn site, but I think that might have been filler for something else.
The ongoing speculation with Sobig's purpose, and now with Bagle, is that the virus writers responsible for these viruses were paid to create a platform on the Internet to distribute code (malicious or commercial in nature) to as many computers hooked to the Internet as possible. A spammer could then use these infected computers as an anonymous remailer for his wares. An identity thief could use it to download a keystroke logger and harvest thousands of passwords and active credit card numbers. Or worse, though unlikely, someone could be planning a devastating computer virus that would download to the infected computers and render them unusable.
Fatal flaw
Aside from the requirement that you click the email attachment (which, I hope, no one still does), there remains one weak link in this two-step viral theory: the download source site or sites are hard-coded within the virus, making them easy for law enforcement to find and shut down. With Sobig.f, the data was encrypted; no word yet on whether the new Bagles encrypted their sites, but it seems this time Bagle used a long list of intermediary sites between the infected computers and the true source of the download. Nonetheless, antivirus vendors were able to work directly with the ISP and quickly shut down the source site supplying those intermediary sites. I think we're close to the day when someone figures out a way to obscure the download site information even better.
Although Bagle attempts to shut down your desktop security, a good antivirus program and a firewall are still your best protection (most antivirus and firewall providers have generic signature files in place to stop the latest variations of Bagle). I recommend two products: Trend Micro's PC-cillin Internet Security 12 for an antivirus program with a good firewall (note that this product will not work with Firefox, however); and ZoneAlarm Internet Security 5.5, which includes a great firewall and bundles in the fast and efficient antivirus engine from Computer Associates.
Related articles
PC-cillin Internet Security 12
Review PC-cillin Internet Security 12 delivers speedy virus scanning and a host of other Internet protection tools -- all for the price of most antivirus-only programs alone. [01 Nov 2004]
ZoneAlarm Security Suite 5.5
Review ZoneAlarm Security Suite puts Norton Internet Security and McAfee Internet Security to shame with its easy-to-use features. [21 Jan 2005]
Did you find this article useful?
58 out of 104 people found this useful
