Saturday, May 18, 2024

Worm Snares IT in Dangerous Cat and Mouse Game

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The author of the virulent Bagle worm is leading anti-virus analysts on a chase that is

pummeling corporate IT managers and users with one attack after another.

And each new variant throws just enough new tricks into the mix to confuse users into

continuously downloading the malicious code.

”Once again, it’s a cat and mouse game between the virus writer and the anti-virus

vendors,” says Steve Sundermeier, a vice president with Central Command, an anti-virus

company based in Medina, Ohio. ”And it’s getting really hard to get infected. It’s kind of

amazing that it’s still happening — that people are still falling for it.”

Over the past several days, three more variants in the Bagle family have hit the wild.

Varaints N, O and P basically have been messing with anti-virus vendors, forcing the

vendors to continuously change their detection methods and update their software.

First, the Bagle author was sneaking the malicious code into corporate networks by

disguising it inside ZIP files. Most gateway detection software was just configured to stop

incoming executable files — not ZIP files. In answer to that, anti-virus vendors got their

corporate customers to start monitoring for ZIP files at the gateway, and added in password


To get around that, the Bagle author sent the malicious code in a password-protected ZIP

file, placing the password itself in the body message of the same email. That way, the worm

bypassed the gateway filters again.

At this point, the anti-virus vendors began parsing the emails, meaning that the detection

software searched the message body for the password. Once they had the password, they

opened the ZIP file and virus scanned the attachment.

But not to be foiled again, Bagle-P now sends the password in a separate graphic file.

Graphic files can’t be parsed because there is no text.

”Now we have to block all encrypted files,” says Sundermeier. ”If you get an encrypted

ZIP file, that’s unusual, so we’re just blocking all of them.

But all of this trickery also means that users have to take multiple steps to actually get

infected. A user needs to open the graphic file, find the password and then use it to open

the ZIP file to be infected. And surprisingly enough, it’s still happening.

”A user really has to try to infect themselves at this point,” says Sundermeier, adding

that it’s happening all over the globe.

Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus

company, says the new variants are showing a maturation. ”We have started to see that he’s

maturing his code, adding encryption and sharing passwords via images,” he says. ”But it

shows no sense of brilliance. He just keeps hammering away.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles