Rounding out the last half of the alphabet with Bagle.Q, Bagle.R, Bagle.S and Bagle.T variants, the latest worms in a long string of malware have become more sophisticated and sneaky, leaving security experts to ponder what might come next from the evolving family of malicious code.
Reports from antivirus and security vendors indicate the latest Bagle variants — which had success spreading via e-mail attachments in a supremacy struggle with Netsky worm variants earlier this month — are now propagating themselves using auto-execute attacks that could give users an infection if they simply preview e-mail, rather than requiring users to open an attached malicious executable.
Using an exploit of an old vulnerability discovered last year in Microsoft Windows, the latest four Bagle variants are successfully infecting users in Asia and the United States, with infected machines apparently being assembled into armies of compromised computers that can be used to spread more malware, according to security experts.
“The rules of the game change with Bagles Q through T,” iDefense director of malicious code Ken Dunham told TechNewsWorld. “They are getting more complex and more sophisticated. Instead of spreading through e-mail attachments, they are now attempting to auto-execute on computers.”
Bagle’s Fast Evolution
Dunham said the authors of the recent variants appear to have moved completely to the new auto-execute method for spreading their worms on the Internet. He referred to the addition of a file-infection component in the latest variants and indicated the regular addition of new code is troubling.
“We’re only in the first alphabet,” Dunham said. “They’re going to come out with AA and BB next week, and you just have to wonder what kind of functions are going to be built in.”
McAfee Avert virus research manager Craig Schmugar said that while increased complexity and the addition of new features is typical with worm variants, the latest Bagle versions illustrate a quickening pace.
“Relatively speaking, with [Bagle variants] A through T, that has been a pretty fast evolution in functionality, starting with Q,” Schmugar told TechNewsWorld. “There’s quite a bit more functionality, and they didn’t settle for one. They actually spent more time with it and added many new features.”
Easy Infection by Bagle Variants
Security experts loudly warned about the danger of getting infected by the latest Bagle variants simply by previewing an e-mail message that has been downloaded.
Dunham — who described Bagle.Q as a highly randomized e-mail worm — said the “wave” of Bagle attacks is having success because of the auto-execute capability. He also indicated home users are at greater risk because the patch for the vulnerability has only been available for a few months.
Security experts said corporations were better prepared for the Bagle variants because of the higher priority they place on security and patching. However, it has been a difficult period for those in charge of large numbers of corporate computers, they agreed.
“Certainly, on the industry side, it’s a good bit of additional work — getting new [virus] definitions and just keeping the different variants straight,” Schmugar said.
Antivirus, E-mail Put to Test
Schmugar said virus fighters typically have a leg up on variants because they can be identified with the same definitions as the original worm. However, in the case of Bagle.Q through Bagle.T, the variants are being treated almost as if they were new because virus authors have built in so much new functionality.
“It’s a workload like we haven’t seen before,” Schmugar said of recent weeks of multiple worms and variants. “We’ve certainly had to change our game plan a bit and shift schedules to keep up.”
Dunham, who said e-mail worms are becoming almost as common and annoying as spam in some cases, indicated the worm activity is putting e-mail to the test as users deal with dropped e-mails, slowdowns, infections and issues of trust in the technology.
“Really, it’s a potpourri, a flurry of people trying to leverage these worms,” Dunham said. “It’s going to force the hand of e-mail and SMTP (simple mail transfer protocol) in general. It’s not going to get any better before it gets worse.”