Saturday, May 25, 2024

Flurry of Worms Hits Companies Already on Guard

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A handful of smaller worms are loose in the wild, and though they’re not as wide-spread or

as destructive as some of their malicious counterparts, they’re causing a flurry of problems

around the globe.

Netsky-B and Bagle-B are just two of the viruses that have come out in the past few days,

and while neither is shutting down networks or crowding out bandwidth, both are picking up

speed. They’re also a nuisance at a time when IT and security managers are on guard for an

expected Blaster-type virus for a buffer overflow flaw in Microsoft’s Windows, as well as an

attack based on Windows 2000 source code that was leaked into the hacker underground.

”It’s sort of like a pack of dogs nipping at your heels when you’re waiting for the big pit

bull to come and bite you,” says Chris Belthoff, a senior analyst at Lynnfield, Mass.-based

Sophos, Inc., a anti-virus and anti-spam company.

Both Belthoff and Mark Sunner, chief technology officer with New York-based MessageLabs,

Inc., say there’s nothing particularly remarkable about the new slate of worms that have

recently hit the wild. Netsky-B is causing little activity. Bagle-B, even though it can be

easily filtered out at the gateway because it carries an executable attachment, is causing

more trouble.

MessageLabs analysts reporting intercepting 95,000 copies of Bagle-B by noon today. The

virus peaked yesterday but is still spreading steadily. At this point, 25 percent of the

infected emails have originated from the United States. Even though it is only a

medium-level threat right now, the worm installs a Trojan so it has the ability to

compromise infected machines to send spam, steal information, etc. It’s another example of

spam and virus threats converging.

”With these new worms, we’re not seeing anything approaching the MyDoom numbers, but it’s a

steady trickle of interceptions,” says MessageLabs’ Sunner, who adds that he believes that

spammers are behind many of the worms, such as MyDoom, that open backdoors and set up


According to Sophos, Bagle-B spreads via email and arrives with the subject line ‘ID’

followed by various random characters and the message text ‘Yours ID’. An attached .exe

file, has a randomly generated filename. If run, a remote access component allows hackers to

gain remote access to infected computers.

The worm harvests email addresses from infected PCs and, when forwarding itself on to other

computer users, spoofs the “From:” field using addresses found on the computer’s hard drive.

Like its predecessor, Bagle-A, this worm has a built in ‘dead date’ and has been designed to

fall dormant on 25 February 2004.

As for Netsky-B, the worm spreads via email — forwarding itself to email addresses found on

the hard drives of infected computers — along with Windows network shares. The worm

searches for directories on the infected machine that contain the word ‘share’ or ‘sharing’.

It then copies itself into these file sharing or instant messaging folders and replicates

itself through them.

But Central Command’s Steve Sundermeier warns that these worms may just be the prelude to

the big attack.

A chunk of Microsoft source code for Windows 2000 has been leaked to the underground

community, and despite Microsoft’s warnings, analysts say they’re quite certain that

blackhat hackers are studying the code for vulnerabilities that could be used to create a

massive virus.

”There is concern that the underground world try to find exploits in that source code,”

says Sundermeier. ”Once you have the source code, you can see exactly how to exploit that

piece of software. It was just a section of the code, but even just a section can lead to

potentially dangerous vulnerabilities and exploits.”

But there is even more danger that a Blaster-like virus will be built based on the critical

flaw in Microsoft’s implementation of the Abstract Syntax Notation 1 (ASN.1) data standard.

Analysts worry that a bug based on that flaw could cause major denial-of-service attacks

against unpatched systems.

Microsoft issued a patch with a ‘critical’ rating for the flaw last week.

”There’s a high probability for a virus to be written based on the flaw,” says Belthoff.

”We haven’t seen anything circulating on it yet, but it definitely has great potential.’

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles