Flurry of Worms Hits Companies Already on Guard

A handful of smaller worms are loose in the wild, causing a flurry of problems as security and IT managers gear up for what could be a major virus attack.
Posted February 18, 2004

Sharon Gaudin

A handful of smaller worms are loose in the wild, and though they're not as wide-spread or as destructive as some of their malicious counterparts, they're causing a flurry of problems around the globe.

Netsky-B and Bagle-B are just two of the viruses that have come out in the past few days, and while neither is shutting down networks or crowding out bandwidth, both are picking up speed. They're also a nuisance at a time when IT and security managers are on guard for an expected Blaster-type virus for a buffer overflow flaw in Microsoft's Windows, as well as an attack based on Windows 2000 source code that was leaked into the hacker underground.

''It's sort of like a pack of dogs nipping at your heels when you're waiting for the big pit bull to come and bite you,'' says Chris Belthoff, a senior analyst at Lynnfield, Mass.-based Sophos, Inc., a anti-virus and anti-spam company.

Both Belthoff and Mark Sunner, chief technology officer with New York-based MessageLabs, Inc., say there's nothing particularly remarkable about the new slate of worms that have recently hit the wild. Netsky-B is causing little activity. Bagle-B, even though it can be easily filtered out at the gateway because it carries an executable attachment, is causing more trouble.

MessageLabs analysts reporting intercepting 95,000 copies of Bagle-B by noon today. The virus peaked yesterday but is still spreading steadily. At this point, 25 percent of the infected emails have originated from the United States. Even though it is only a medium-level threat right now, the worm installs a Trojan so it has the ability to compromise infected machines to send spam, steal information, etc. It's another example of spam and virus threats converging.

''With these new worms, we're not seeing anything approaching the MyDoom numbers, but it's a steady trickle of interceptions,'' says MessageLabs' Sunner, who adds that he believes that spammers are behind many of the worms, such as MyDoom, that open backdoors and set up proxies.

According to Sophos, Bagle-B spreads via email and arrives with the subject line 'ID' followed by various random characters and the message text 'Yours ID'. An attached .exe file, has a randomly generated filename. If run, a remote access component allows hackers to gain remote access to infected computers.

The worm harvests email addresses from infected PCs and, when forwarding itself on to other computer users, spoofs the "From:" field using addresses found on the computer's hard drive. Like its predecessor, Bagle-A, this worm has a built in 'dead date' and has been designed to fall dormant on 25 February 2004.

As for Netsky-B, the worm spreads via email -- forwarding itself to email addresses found on the hard drives of infected computers -- along with Windows network shares. The worm searches for directories on the infected machine that contain the word 'share' or 'sharing'. It then copies itself into these file sharing or instant messaging folders and replicates itself through them.

But Central Command's Steve Sundermeier warns that these worms may just be the prelude to the big attack.

A chunk of Microsoft source code for Windows 2000 has been leaked to the underground community, and despite Microsoft's warnings, analysts say they're quite certain that blackhat hackers are studying the code for vulnerabilities that could be used to create a massive virus.

''There is concern that the underground world try to find exploits in that source code,'' says Sundermeier. ''Once you have the source code, you can see exactly how to exploit that piece of software. It was just a section of the code, but even just a section can lead to potentially dangerous vulnerabilities and exploits.''

But there is even more danger that a Blaster-like virus will be built based on the critical flaw in Microsoft's implementation of the Abstract Syntax Notation 1 (ASN.1) data standard. Analysts worry that a bug based on that flaw could cause major denial-of-service attacks against unpatched systems.

Microsoft issued a patch with a 'critical' rating for the flaw last week.

''There's a high probability for a virus to be written based on the flaw,'' says Belthoff. ''We haven't seen anything circulating on it yet, but it definitely has great potential.'

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.