Tag Archives: proxy server

The Bagle Worm

I’m getting quite a few warnings about a new worm called Bagle, so I thought I’d pass them along. MessageLabs, an email security company, says it’s currently spreading at an alarming rate. The first copy of the worm was intercepted from Germany, and at the moment the majority of copies are being captured as they are sent from Australia. It seems to have several bits to it:

The worm arrives as an attachment to an email with the subject line ‘Hi’ and has a random filename, with a .exe extension. W32/Bagle-mm searches the infected machine for email addresses and then uses its own SMTP engine to send itself to the addresses found. The worm makes a poor attempt to lure users into double-clicking on the attachment by using social engineering techniques.

Further analysis suggests that the worm includes a backdoor component that listens for connections from a malicious user and can send notification of an infected system.

It also appears that the worm may attempt to download a Trojan proxy component, known as Backdoor-CBJ. This Trojan is able to act as a proxy server and can download other code which could be used for key-logging and password stealing.

Here’s more on it from CNet.

The Year Of The Worm

Nothing new in this, but a fascinating summary of this year’s viruses, and a sober reminder of how tricky it’s all getting: F-Secure’s review of 2003 makes for interesting reading. This for example, on how the Slammer worm caused so much network traffic:

In theory, there are some 4 billion public IP addresses on the Internet. The Slammer worm was released on January 25, 2003 around 04:31 UTC. By 04:45 it had scanned through all Internet addresses – in less than 15 minutes! This operation can be compared to an automatic system dialing all available phone numbers in the world in 15 minutes. As on the net, only a small number of phones would answer the call but the lines would certainly be congested.

Or the Bugbear.B worm, which tried to steal information from banks and other financial institutions:

To this end, the worm carried a list of network addresses of more than 1300 banks. Among them were network addresses of American, African, Australian, Asian and European banks. As soon as this functionality was discovered, F-Secure warned the listed financial institutions about the potential threat. The response time of the F-Secure Anti-Virus Research Unit was 3 hours 59 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also published a free tool to clean systems affected by Bugbear.B.

Or Sobig.F, which waited for a couple of days after infecting a machine and then turned affected machines into e-mail proxy servers:

The reason soon became apparent: spammers, or organizations sending bulk e-mail ads, used these proxies, which Sobig had created, to redistribute spam on a massive scale. Computers of innocent home users were taken over with the help of the worm and soon they were used to send hundreds of thousands of questionable advertisements without the owner being aware of this.

It is likely that there’s a virus writer group behind Sobig. They planned the operation, then used the worm to infect a huge number of computers and then sold various spammer groups lists of proxy servers which would be open for spreading spam. It was clearly a business operation.

A great read, and fodder for a novel were it not just the start of a difficult time for the Internet.

Software: Morpheus Drops the Spyware

 Apparently not to be outdone by Grokster’s new version, fellow file sharers StreamCast Networks, Inc., have announced a new, free, version of Morpheus, 3.2, free of spyware and laden “with new features, making file-sharing faster, safer and more secure”.
 
 
This version is more than 50% smaller in file size from Morpheus 3.1, and offers superior global search capabilities, can use your own default media player, reduces traffice by up to half etc etc. It also helps users avoid the snooping of the folks at the RIAA: ”users of the new Morpheus 3.2 software can link directly to third party websites that publish “blacklists” of IP addresses, believed by its contributors, to be among those that are used to snoop into the privacy of users. If a user chooses to click on any of these blacklisted IPs, those IP ranges will be blocked from the users computer”. It also makes using proxy servers easier, preserving your anonymity.