More On The New Bagle

Here’s some more stuff from The Inquirer about the new Bagle worm (AV firm warns of fresh Bagle variant), which quotes F-Secure as saying it has issued a level two alert for a variant of Bagle which it said is propagating like crazy across the world. Some details:

The firm said Bagle.AT is a polymorphic worm arriving in emails and with a number of different headers. It’s similar to the other Bagles around, and attaches itself to emails as a .EXE file with .com, .exe, .scr and .cpl extensions. Typical text strings include “delivery service mail”, “delivery by mail”, “registration is accepted”, “is delivered mail” and “you are made active”. Bagle.AT also open a back door to PCs that listens on port 81, and is password encrypted. That allows the author of the worm to connect to PCs and let him or her execute programs. The infected machines are reported to the worm’s author.

Always hard to know at the time how much of this is hype, but I guess it’s worth knowing about it in case it isn’t.

MyDoom Anniversary: Another Big Attack In The Offing?

Today’s the first anniversary of the MyDoom.A worm. According to an email I received earlier today from MessageLabs, ‘the world’s leading provider of email security services to business’, it was a day that “changed the virus landscape forever”:

27 January 2005 – At 13.26pm on 26 January 2004, MessageLabs,  intercepted its first copy of W32/MyDoom.A. Within the first twenty-four hours, the company had stopped over 1.2 million copies. MyDoom.A, which achieved a peak infection rate of 1 in 12 emails, has proved to represent a landmark in the history of computer viruses, and the legacy lives on..

I’m not sure whether this is just a coincidence, but I’m told by folks at Network Box of a fresh attack by Bagle: “Depending on the next few hours, this could be a large attack,” says Network Box’s Quentin Heron:

Network Box Security Response is tracking several new variants of the Bagle Internet worm… We are seeing thousands of blocks on these variants, from dozens of sites in Hong Kong. We are checking worldwide infection rates at the moment, but this looks extensive.

For those of you who follow these things, the worm matches signatures from Kaspersky Labs of and Email-Worm.Win32.Bagle.ay.

I’ll keep you posted.

McAfee’s Virus Report Card – Grim

It’s been a busy six months for the virus-writing folk.

McAfee says the first half of this year has seen more serious viruses than in the whole of last year (sorry, no URL available yet). A large part of this has been the war between the Bagle and Netsky authors, a war that has seen their viruses appear in 215 countries.

What’s perhaps surprising is that this bucks a trend in virus production, where McAfee saw a steady decline in the rate of viruses produced from 2000 to 2003, down to a 5% year over year growth. That seems to be all over, for now at least.

Another weak spot: McAfee noted in the first half of 2004 11 exploits targeting four Microsoft vulnerabilities against 15 exploits targeting seven Microsoft vulnerabilities in the whole of 2003. In other words: More folk making trying to make the most out of fewer holes.

Virus Writers As Spotty Juveniles Or Hardened Criminals? Take Your Pick

Was the recent virus war just between kids, or something more sinister?
Mi2g, the British Internet security consultants, reckon not. “Upon analysing the juvenile dialogue between the malware writers of NetSky, Bagle and MyDoom it has been prematurely concluded by a range of commentators that this is a turf war between teenagers or college students seeking global notoriety.  Whilst script kiddies are active in large numbers around the globe benefiting from freely available online hacking and malware authoring tools, a coincidental release of malware variants that have contributed to a tsunami is highly unlikely to be merely the work of teenagers.”
Some folk have pointed to discussion on some online bulletin boards as evidence of the gangstyle war behind these recent viruses. Mi2g see it differently: “It could well be that the teenager-type messages were deliberately left behind by more mature malevolents to benefit from the publicity of their intended disguise that delivers obscurity to the real motives behind this rapid release of malware variants and the colonisation of millions of zombie computers in homes, places of learning, government departments and corporations.”
The fact that Bagle and its many variaents involved advanced social engineering — tricks to persuade you to open, and therefore activate, the virus-laden attachment — suggests a high level of specificity in what the malware writers seek,” mi2g reckon. The email containing the virus mimics the email address domain to which it is being sent, thereby confusing the user (and confusing me too). Other elements convince mi2g these guys are not just mucking about:
  • The backdoors that are left open by MyDoom, for example, cannot be exploited easily by a novice;
  • Hundreds of thousands of tailor-made emails received over the last week carry a Bagle variant, for example, within an encrypted attachment that bypasses the defences of many corporations and ISPs;
  • The rapacious way in which the address books are then plundered across the corporate network also suggests a more legitimate email address harvesting motive than simply an intellectual challenge frenzy between rivals.

Mi2g also points to the NetSky variants which also “sniff for evidence of MyDoom and Bagle infections as well as their previous incarnations before attempting to deactivate them”.  Mi2g concludes that “groups of malware authors are battling for market share of infected computers and there is a protracted turf war underway, where large sums of money or valuable assets are involved. ”

I tend to agree, and have said so, in my usual quiet way. But I think there’s a slight difference in my analysis and theirs. While mi2g say “It would be a folly to assume that all these groups of malware writers, who masquerade as juvenile teenagers, are not linked to trans-national criminal syndicate activity.  All this suggests a grander financial plan than mere bragging rights”, I don’t believe they are grown-ups masquerading as kids. I think they are probably kids who are sharing some of the loot with the gangs.
In fact, I think it may be wrong to think of the people behind these scams as big established gangs. They may be relatively large in number for a culture not known to cooperate but, at a pop, I’d say there were no more than 10 or so per group — and, importantly, they are fluid and ad-hoc. For a scam to work you need someone with the brains to figure out how to extract money (the scammer), someone to do the coding (the coder), and someone to distribute it (the spammer). All of them could, in effect, be kids. To see what life among these kind of folk is like, look no further than Robin Miller’s interview on NewsForge with Andrew D Kirch, a security administrator who recently infiltrated some script kiddie groups. While script kiddies — generally derided for the belief they copy most of the code they use, they don’t write it themselves — may not be up to creating the viruses we’re talking about here, one gets a pretty good general idea of the culture.

The Virus Turf War

More on who’s behind the latest wave of virus attacks.

Mary Landesman of looks at text strings contained in the viruses of Bagle (sometimes Bagel) and MyDoom to show how ”a battle is waging between three groups of virus writers, each attempting to prove superiority over the other.” It’s a very good piece.

But it’s not quite that simple, I suspect. While she quotes a virus analyst at Norman Data Defense Systems, the excellently named Snorre Fagerland, as saying, “We suspect that several virus authors – or factions of virus authors – are competing in creating the most successfully spreading worm. So far we see three different groups or persons, each responsible for their own worm family; NetSky, Bagle, and MyDoom. Text messages inside these worms points in this direction. It seems like they are accusing each other of stealing ideas and code, in an attempt to achieve the highest number of copies spread on the Internet as fast as possible.”

I believe it’s more complex than that. A message in Bagle.J goes: “Hey,NetSky, [expletive] off you [expletive], don’t ruine our bussiness, wanna start a war?” This, Landesman points out, is apparently in response to a string contained in Netsky.C that reads, “]MyDoom.F is a thief of our idea! – -“

My belief is this: A lot of viruses nowadays are business ventures, cobbled together by an informal cabal of computer nerds and folk who want to make money (spammers, scammers). Of course some viruses are just kids in dorms and bedsits messing about for fun. But when the guy(s) behind Bagle.J say ‘don’t ruin our business’ they’re not speaking metaphorically. The Internet is like any other turf, and there’s only so much to go round. What we’re seeing here, I believe, is a turf war among criminals, or possibly between criminals and script kiddies (amateur, and amateurish, virus writers who do it for fun.)

New Variation Of Bagle Spreading Fast

More virus trouble afoot. This time it’s a variation of Bagle.

MessageLabs reports that it’s intercepted more than 10,000 copies in an hour as of this morning. Most seem to be from the UK and the U.S, although the first copy it received was from Poland.

It appears to be a mass-mailing worm, installing a backdoor Trojan on infected machines much like its predecessor. It looks like this:

Subject: ID <random>… thanks
Text:  Unknown
Attachment: <Random>.exe
Size: 11264 bytes

EWeek says it also includes a component that notifies the author each time a new machine is infected. The attachment will mail the virus to all of the names found on the user’s hard drive, with the exception, for some reason, of addresses in the Hotmail, MSN, Microsoft and AVP domains.

Bagle.B also opens port 8866 and begins listening for remote connections, according to an analysis done by Network Associates Inc.’s McAfee AVERT team. The virus also sends an HTTP notification, presumably to the author, notifying him that the machine is infected.

The Bagle Worm

I’m getting quite a few warnings about a new worm called Bagle, so I thought I’d pass them along. MessageLabs, an email security company, says it’s currently spreading at an alarming rate. The first copy of the worm was intercepted from Germany, and at the moment the majority of copies are being captured as they are sent from Australia. It seems to have several bits to it:

The worm arrives as an attachment to an email with the subject line ‘Hi’ and has a random filename, with a .exe extension. W32/Bagle-mm searches the infected machine for email addresses and then uses its own SMTP engine to send itself to the addresses found. The worm makes a poor attempt to lure users into double-clicking on the attachment by using social engineering techniques.

Further analysis suggests that the worm includes a backdoor component that listens for connections from a malicious user and can send notification of an infected system.

It also appears that the worm may attempt to download a Trojan proxy component, known as Backdoor-CBJ. This Trojan is able to act as a proxy server and can download other code which could be used for key-logging and password stealing.

Here’s more on it from CNet.