The latest Bagle three-worm wave includes one using a more aggressive twist on an old tactic, US security firms said this week.
Three Bagle variants have hit the internet since Saturday -- that day's Bagle.ag, Sunday's Bagle.ah. and Monday's Bagle.ai -- but the worst is the most recent, said Patrick Hinojosa, the chief technology officer for Panda Software.
"When we saw [Bagle-ai] appear, it just sort of took off," Hinojosa said. On mid-day Tuesday in the US, it was the second-most prevalent worm on Panda's real-time list.
Bagle.ai , also known as Bagle.ah, is also a mass mailing worm that spreads by hijacking addresses on infected machines or through shared folders. It packages its payload as a file attachment, including .zip compressed files, and attempts to contact a slew of German websites.
The latter move is probably to alert the hacker of compromised systems to be used later as spam proxies or to conduct denial-of-service (DoS) attacks.
However, Hinojosa notes one important difference that he thinks is behind Bagle.ai's success.
"It comes in and takes out a whole list of anti-virus and firewall processes," he said. "This list is larger than earlier [lists], and is so big I can't even count them. Someone really took their time to build this."
The list -- 288 by Symantec's count -- is used by Bagle.ai to terminate memory-resident and active anti-virus and firewall software in an attempt to slip through a computer's defences. "It goes around [defences] by deleting the processes," said Hinojosa. "That's not good."
If a PC is infected with Bagle.ai and the anti-virus software is terminated, that PC is not only open to other attacks but won't automatically update itself to new threats. So even protected machines continue to spread the worm.
Hinojosa said that tactic shrinks the response window of anti-virus firms.
"Even our average response time of 2.2 hours [from detection to coming up with a new signature] is too big a window," he said. "This shrinking of the response window let [Bagle.ai] slip into a larger than usual number of PCs."
Other analysts aren't so sure that Bagle.ai's process termination list is the real problem.
Joe Telafici, director of virus response operations at McAfee, noted that the three most recent Bagles all share the same basic list.
But he agreed that Bagle.ai is particularly nasty. "It's about twice as aggressive as other recent versions. We don't know exactly why, but I suspect it was initially spammed wide enough to catch a bigger audience."
Numbers from other security firms bear that out. MessageLabs, for instance, intercepted 15,000 copies of the worm in a 45-minute period earlier this week, evidence that it was spam seeded to a large number of users.
Since the source code for Bagle has been made public -- even included in some versions of the worm -- it's hard to tell if the latest outbreaks are from the original author or authors or new hackers just doing a bit of tweaking and fine-tuning.
McAfee's Telafici thinks the three newest Bagles were created by the same individual or group, but wouldn't hazard a guess as to whether it was the original Bagle author.
Panda's Hinojosa went a bit further on the limb. "What with some of the similarities in the internals, I think it could be some of the same guys [as originally]," he said.
The first Bagle worm appeared in January, spawning more than two dozen variants in a matter of weeks. Then it disappeared. Some experts believe that the break was due to the author or authors lying low after the arrest of a suspect in the Netsky and Sasser worm breakouts.
Hinojosa and others recommended that users update their anti-virus signature files, then do a system scan. Tools are available online for detecting and cleaning PCs of the newest Bagle variations.
_page-0001.jpg&w=100&c=1&s=0)
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
