Wave after wave of new worm variants are pounding IT managers, as well as anti-virus
vendors, threatening to overwhelm current security measures.
Just as the industry was reeling yesterday from the weekend release of a new Netsky variant
and five new Bagle variants, another two Bagle variants and one more Netsky variant have hit
the Internet. The variants are coming so fast that at least one anti-virus vendor has warned
its users to update their software every hour.
”It’s like a tsunami wave, with all the variants crashing down at once,” says Ken Dunham,
Ken Dunham, director of malicious code at iDefense, Inc., a security intelligence company
based in Reston, Va. ”We’re getting wave after wave of attacks and they’re significant
attacks… It’s a constant deluge. It’s annoying and it’s frustrating and people are getting
tired of it.”
Anti-virus company, Panda Software, is calling the attacks an ‘epidemic’.
Netsky-D, alone, has caused $58.5 million in damages worldwide, according to mi2g, a
London-based security assessment company. And as that variant continues to wreak havoc
across the Internet, Netsky-E has been discovered. The latest variant spreads via email and
network shares, but so far is not causing as much trouble as its predecessors.
”Whoever is behind the Netsky worms is hell bent on causing as much chaos as possible,”
says Graham Cluley, senior technology consultant for Sophos, Inc., a Lynnfield, Mass.-based
anti-virus and anti-spam company. ”They have deliberately released new versions of their
virus, tweaked to try and avoid detection by anti-virus software. Computer users should heed
the warning and be wary of any unsolicited email attachment.”
The Bagle family ushered in Bagle-H and Bagle-I yesterday. Bagle-H, which Sophos upgraded
from a low to a medium threat, is an email worm which contains a password-protected Zip file
which avoids anti-virus detection. When the attachment is opened, the worm opens up a
backdoor on Port 2745 and waits for commands from the virus author. Bagle-I follows the same
pattern but has been tweaked to avoid detection by anti-virus software programmed to stop
”As soon as detection for a new variant is added to anti-virus software, literally, within
a couple of hours we’ll see the slightest modification done to a new variant to avoid
detection,” says Steve Sundermeier, a vice president at Central Command, Inc., an
anti-virus company based in Medina, Ohio. ”It’s very apparent to me that there’s a cat and
mouse game going on. With this kind of timing, this has to be a deliberate attack trying to
strain anti-virus companies.”
But while anti-virus companies are struggling to keep up with the deluge of attacks,
corporate IT managers are faced with the same problem. They’re fighting to keep anti-virus
software updated, to keep users from panicking and to keep software patched.
” That strains us but IT managers have to be on their toes at all times, as well,” says
Sundermeier, who adds that Central Command has told its large customers to update their
anti-virus software every hour, as opposed to once a day or every four to six hours. ”This
is a definite strain on the IT field. When you have variants C,D,E,F,G,H,I within a matter
of 72 hours, that’s crazy.”
Dunham of iDefense says he’s concerned that it’s simply not feasible for some IT managers to
have the time and capacity to update their anti-virus software that frequently.
”My question is, How reasonable is that?”, asks Dunham. ”IT managers are having to change
the way they operate. It’s all about how rapidly they can respond to wave after wave of
attack. They’re on the line to be in the know about what’s going on as it’s happening. If
they don’t have up-to-date information, they’re hanging in the wind.”