Netsky-B and Bagle-B are just two of the viruses that have come out in the past few days,and while neither is shutting down networks or crowding out bandwidth, both are picking upspeed. They're also a nuisance at a time when IT and security managers are on guard for anexpected Blaster-type virus for a buffer overflow flaw in Microsoft's Windows, as well as anattack based on Windows 2000 source code that was leaked into the hacker underground.
''It's sort of like a pack of dogs nipping at your heels when you're waiting for the big pitbull to come and bite you,'' says Chris Belthoff, a senior analyst at Lynnfield, Mass.-basedSophos, Inc., a anti-virus and anti-spam company.
Both Belthoff and Mark Sunner, chief technology officer with New York-based MessageLabs,Inc., say there's nothing particularly remarkable about the new slate of worms that haverecently hit the wild. Netsky-B is causing little activity. Bagle-B, even though it can beeasily filtered out at the gateway because it carries an executable attachment, is causingmore trouble.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i MessageLabs analysts reporting intercepting 95,000 copies of Bagle-B by noon today. Thevirus peaked yesterday but is still spreading steadily. At this point, 25 percent of theinfected emails have originated from the United States. Even though it is only amedium-level threat right now, the worm installs a Trojan so it has the ability tocompromise infected machines to send spam, steal information, etc. It's another example ofspam and virus threats converging.
''With these new worms, we're not seeing anything approaching the MyDoom numbers, but it's asteady trickle of interceptions,'' says MessageLabs' Sunner, who adds that he believes thatspammers are behind many of the worms, such as MyDoom, that open backdoors and set upproxies.
According to Sophos, Bagle-B spreads via email and arrives with the subject line 'ID'followed by various random characters and the message text 'Yours ID'. An attached .exefile, has a randomly generated filename. If run, a remote access component allows hackers togain remote access to infected computers.
The worm harvests email addresses from infected PCs and, when forwarding itself on to othercomputer users, spoofs the "From:" field using addresses found on the computer's hard drive.Like its predecessor, Bagle-A, this worm has a built in 'dead date' and has been designed tofall dormant on 25 February 2004.
As for Netsky-B, the worm spreads via email -- forwarding itself to email addresses found onthe hard drives of infected computers -- along with Windows network shares. The wormsearches for directories on the infected machine that contain the word 'share' or 'sharing'.It then copies itself into these file sharing or instant messaging folders and replicatesitself through them.
But Central Command's Steve Sundermeier warns that these worms may just be the prelude tothe big attack.
A chunk of Microsoft source code for Windows 2000 has been leaked to the undergroundcommunity, and despite Microsoft's warnings, analysts say they're quite certain thatblackhat hackers are studying the code for vulnerabilities that could be used to create amassive virus.
''There is concern that the underground world try to find exploits in that source code,''says Sundermeier. ''Once you have the source code, you can see exactly how to exploit thatpiece of software. It was just a section of the code, but even just a section can lead topotentially dangerous vulnerabilities and exploits.''
But there is even more danger that a Blaster-like virus will be built based on the criticalflaw in Microsoft's implementation of the Abstract Syntax Notation 1 (ASN.1) data standard.Analysts worry that a bug based on that flaw could cause major denial-of-service attacksagainst unpatched systems.
Microsoft issued a patch with a 'critical' rating for the flaw last week.
''There's a high probability for a virus to be written based on the flaw,'' says Belthoff.''We haven't seen anything circulating on it yet, but it definitely has great potential.'