A new wave of Bagle variants is pounding the Internet and appears to be
trying to build a zombie army, according to security analysts.
”They’re showing up in mass quantities,” says Steve Sundermeier, a vice
president for Medina, Ohio-based Central Command, an anti-virus and
anti-spam company. ”They’re dangerous… This particular author or
authors is building a Trojan army.”
The Bagle family of worms first hit the Internet back in January of 2004,
and waged battle with the author of the Netsky family during the Worm
Wars. But the flood of Bagle worms had slowed down in recent months…
until a day or two ago when they started coming in fast and furiously.
Wednesday morning alone saw eight different variants hit the Internet,
says Sundermeier. In the past few days, Central Command has added between
20 and 30 anti-virus updates or signatures for Bagle variants. However,
when you add in the updates issued for the Trojans that the worms are
trying to download, then they’ve issued a total of 50 or 60 signatures.
Analysts at Sophos, Inc., an anti-virus and anti-spam company with U.S.
headquarters in Lynnfield, Mass., report that an attack spread across the
Internet between 11 a.m. and 7 p.m. EST yesterday and a new attack began
Wednesday morning at 11 a.m.
The variants are being spammed out to computers around the world in
emails with malicious attachments. They are not mass-mailing worms which
can spread themselves. This is all being done by spam, analysts say. Once
a user clicks on the attachment, which is a zip file named price or
newprice, the worm shuts down key security features, like anti-virus
software and firewalls, and then it attempts to download a Trojan horse.
Ken Dunham, a senior engineer for VeriSign iDefense Inteligence based in
Mountain View, Calif., says the variants are being ”aggressively
seeded” in the wild. He adds that the advantage of spamming the variants
out means they instantly are widespread, increasing the chances of people
opening them and infecting their machines.
Patrick Hinojosa, CTO at Panda Software U.S., an anti-virus and intrusion
prevention company with U.S. headquarters in Glendale, Calif., says he
believes various hackers are using the basic Bagle code to build their
own variants — and they’re all trying to make money off of it.
”This is just the opening salvo,” says Hinojosa. ”Its whole purpose is
to create a zombie army… Spammers need machines to use so their work
isn’t being traced back to them. Phishers need anonymous computers that
can’t be traced back to them.
”They’re creating this army because someone has already placed an order
for these machines or they’re looking to sell these machines to a spammer
or phisher, most likely. We see this far too often these days.”