Worm Snares IT in Dangerous Cat and Mouse Game

Download our in-depth report: The Ultimate Guide to IT Security Vendors

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
The author of the virulent Bagle worm is leading anti-virus analysts on a chase that ispummeling corporate IT managers and users with one attack after another.

And each new variant throws just enough new tricks into the mix to confuse users intocontinuously downloading the malicious code.

''Once again, it's a cat and mouse game between the virus writer and the anti-virusvendors,'' says Steve Sundermeier, a vice president with Central Command, an anti-viruscompany based in Medina, Ohio. ''And it's getting really hard to get infected. It's kind ofamazing that it's still happening -- that people are still falling for it.''

Over the past several days, three more variants in the Bagle family have hit the wild.Varaints N, O and P basically have been messing with anti-virus vendors, forcing thevendors to continuously change their detection methods and update their software.

First, the Bagle author was sneaking the malicious code into corporate networks bydisguising it inside ZIP files. Most gateway detection software was just configured to stopincoming executable files -- not ZIP files. In answer to that, anti-virus vendors got theircorporate customers to start monitoring for ZIP files at the gateway, and added in passwordprotection.

To get around that, the Bagle author sent the malicious code in a password-protected ZIPfile, placing the password itself in the body message of the same email. That way, the wormbypassed the gateway filters again.

At this point, the anti-virus vendors began parsing the emails, meaning that the detectionsoftware searched the message body for the password. Once they had the password, theyopened the ZIP file and virus scanned the attachment.

But not to be foiled again, Bagle-P now sends the password in a separate graphic file.Graphic files can't be parsed because there is no text.

''Now we have to block all encrypted files,'' says Sundermeier. ''If you get an encryptedZIP file, that's unusual, so we're just blocking all of them.

But all of this trickery also means that users have to take multiple steps to actually getinfected. A user needs to open the graphic file, find the password and then use it to openthe ZIP file to be infected. And surprisingly enough, it's still happening.

''A user really has to try to infect themselves at this point,'' says Sundermeier, addingthat it's happening all over the globe.

Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-viruscompany, says the new variants are showing a maturation. ''We have started to see that he'smaturing his code, adding encryption and sharing passwords via images,'' he says. ''But itshows no sense of brilliance. He just keeps hammering away.''

Submit a Comment

Loading Comments...