A handful of smaller worms are loose in the wild, and though they’re not as wide-spread or
as destructive as some of their malicious counterparts, they’re causing a flurry of problems
around the globe.
Netsky-B and Bagle-B are just two of the viruses that have come out in the past few days,
and while neither is shutting down networks or crowding out bandwidth, both are picking up
speed. They’re also a nuisance at a time when IT and security managers are on guard for an
expected Blaster-type virus for a buffer overflow flaw in Microsoft’s Windows, as well as an
attack based on Windows 2000 source code that was leaked into the hacker underground.
”It’s sort of like a pack of dogs nipping at your heels when you’re waiting for the big pit
bull to come and bite you,” says Chris Belthoff, a senior analyst at Lynnfield, Mass.-based
Sophos, Inc., a anti-virus and anti-spam company.
Both Belthoff and Mark Sunner, chief technology officer with New York-based MessageLabs,
Inc., say there’s nothing particularly remarkable about the new slate of worms that have
recently hit the wild. Netsky-B is causing little activity. Bagle-B, even though it can be
easily filtered out at the gateway because it carries an executable attachment, is causing
more trouble.
MessageLabs analysts reporting intercepting 95,000 copies of Bagle-B by noon today. The
virus peaked yesterday but is still spreading steadily. At this point, 25 percent of the
infected emails have originated from the United States. Even though it is only a
medium-level threat right now, the worm installs a Trojan so it has the ability to
compromise infected machines to send spam, steal information, etc. It’s another example of
spam and virus threats converging.
”With these new worms, we’re not seeing anything approaching the MyDoom numbers, but it’s a
steady trickle of interceptions,” says MessageLabs’ Sunner, who adds that he believes that
spammers are behind many of the worms, such as MyDoom, that open backdoors and set up
proxies.
According to Sophos, Bagle-B spreads via email and arrives with the subject line ‘ID’
followed by various random characters and the message text ‘Yours ID’. An attached .exe
file, has a randomly generated filename. If run, a remote access component allows hackers to
gain remote access to infected computers.
The worm harvests email addresses from infected PCs and, when forwarding itself on to other
computer users, spoofs the “From:” field using addresses found on the computer’s hard drive.
Like its predecessor, Bagle-A, this worm has a built in ‘dead date’ and has been designed to
fall dormant on 25 February 2004.
As for Netsky-B, the worm spreads via email — forwarding itself to email addresses found on
the hard drives of infected computers — along with Windows network shares. The worm
searches for directories on the infected machine that contain the word ‘share’ or ‘sharing’.
It then copies itself into these file sharing or instant messaging folders and replicates
itself through them.
But Central Command’s Steve Sundermeier warns that these worms may just be the prelude to
the big attack.
A chunk of Microsoft source code for Windows 2000 has been leaked to the underground
community, and despite Microsoft’s warnings, analysts say they’re quite certain that
blackhat hackers are studying the code for vulnerabilities that could be used to create a
massive virus.
”There is concern that the underground world try to find exploits in that source code,”
says Sundermeier. ”Once you have the source code, you can see exactly how to exploit that
piece of software. It was just a section of the code, but even just a section can lead to
potentially dangerous vulnerabilities and exploits.”
But there is even more danger that a Blaster-like virus will be built based on the critical
flaw in Microsoft’s implementation of the Abstract Syntax Notation 1 (ASN.1) data standard.
Analysts worry that a bug based on that flaw could cause major denial-of-service attacks
against unpatched systems.
Microsoft issued a patch with a ‘critical’ rating for the flaw last week.
”There’s a high probability for a virus to be written based on the flaw,” says Belthoff.
”We haven’t seen anything circulating on it yet, but it definitely has great potential.’