The author of the virulent Bagle worm is leading anti-virus analysts on a chase that is
pummeling corporate IT managers and users with one attack after another.
And each new variant throws just enough new tricks into the mix to confuse users into
continuously downloading the malicious code.
”Once again, it’s a cat and mouse game between the virus writer and the anti-virus
vendors,” says Steve Sundermeier, a vice president with Central Command, an anti-virus
company based in Medina, Ohio. ”And it’s getting really hard to get infected. It’s kind of
amazing that it’s still happening — that people are still falling for it.”
Over the past several days, three more variants in the Bagle family have hit the wild.
Varaints N, O and P basically have been messing with anti-virus vendors, forcing the
vendors to continuously change their detection methods and update their software.
First, the Bagle author was sneaking the malicious code into corporate networks by
disguising it inside ZIP files. Most gateway detection software was just configured to stop
incoming executable files — not ZIP files. In answer to that, anti-virus vendors got their
corporate customers to start monitoring for ZIP files at the gateway, and added in password
To get around that, the Bagle author sent the malicious code in a password-protected ZIP
file, placing the password itself in the body message of the same email. That way, the worm
bypassed the gateway filters again.
At this point, the anti-virus vendors began parsing the emails, meaning that the detection
software searched the message body for the password. Once they had the password, they
opened the ZIP file and virus scanned the attachment.
But not to be foiled again, Bagle-P now sends the password in a separate graphic file.
Graphic files can’t be parsed because there is no text.
”Now we have to block all encrypted files,” says Sundermeier. ”If you get an encrypted
ZIP file, that’s unusual, so we’re just blocking all of them.
But all of this trickery also means that users have to take multiple steps to actually get
infected. A user needs to open the graphic file, find the password and then use it to open
the ZIP file to be infected. And surprisingly enough, it’s still happening.
”A user really has to try to infect themselves at this point,” says Sundermeier, adding
that it’s happening all over the globe.
Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus
company, says the new variants are showing a maturation. ”We have started to see that he’s
maturing his code, adding encryption and sharing passwords via images,” he says. ”But it
shows no sense of brilliance. He just keeps hammering away.”