New Wave of Bagle Worms Pounds Internet

The author of the variants is building a zombie army to sell to spammers or phishers, according to security analysts.
Posted September 21, 2005

Sharon Gaudin

A new wave of Bagle variants is pounding the Internet and appears to be trying to build a zombie army, according to security analysts.

''They're showing up in mass quantities,'' says Steve Sundermeier, a vice president for Medina, Ohio-based Central Command, an anti-virus and anti-spam company. ''They're dangerous... This particular author or authors is building a Trojan army.''

The Bagle family of worms first hit the Internet back in January of 2004, and waged battle with the author of the Netsky family during the Worm Wars. But the flood of Bagle worms had slowed down in recent months... until a day or two ago when they started coming in fast and furiously.

Wednesday morning alone saw eight different variants hit the Internet, says Sundermeier. In the past few days, Central Command has added between 20 and 30 anti-virus updates or signatures for Bagle variants. However, when you add in the updates issued for the Trojans that the worms are trying to download, then they've issued a total of 50 or 60 signatures.

Analysts at Sophos, Inc., an anti-virus and anti-spam company with U.S. headquarters in Lynnfield, Mass., report that an attack spread across the Internet between 11 a.m. and 7 p.m. EST yesterday and a new attack began Wednesday morning at 11 a.m.

The variants are being spammed out to computers around the world in emails with malicious attachments. They are not mass-mailing worms which can spread themselves. This is all being done by spam, analysts say. Once a user clicks on the attachment, which is a zip file named price or newprice, the worm shuts down key security features, like anti-virus software and firewalls, and then it attempts to download a Trojan horse.

Ken Dunham, a senior engineer for VeriSign iDefense Inteligence based in Mountain View, Calif., says the variants are being ''aggressively seeded'' in the wild. He adds that the advantage of spamming the variants out means they instantly are widespread, increasing the chances of people opening them and infecting their machines.

Patrick Hinojosa, CTO at Panda Software U.S., an anti-virus and intrusion prevention company with U.S. headquarters in Glendale, Calif., says he believes various hackers are using the basic Bagle code to build their own variants -- and they're all trying to make money off of it.

''This is just the opening salvo,'' says Hinojosa. ''Its whole purpose is to create a zombie army... Spammers need machines to use so their work isn't being traced back to them. Phishers need anonymous computers that can't be traced back to them.

''They're creating this army because someone has already placed an order for these machines or they're looking to sell these machines to a spammer or phisher, most likely. We see this far too often these days.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.