Three-stage Bagle variants alarm experts

The latest variants of the Bagle worm have alarmed antivirus vendors because of the multi-stage process they use to attack PCs.

The variants, which Computer Associates has given a new name -- Glieder -- because it says they are so different from previous Bagle worms, combine several elements in a way not seen before. In this staged approached, viruses seed their victims, then disarm them, and then finally exploit them.

"We've seen blended threats before where a virus uses several methods to spread," said Computer Associates Australia security architect Chris Thomas, "but not like this."

The Win32.Glieder worm spreads using a common mass-mailing method, relying on users to click on an attachment so it e-mail itself on to names in the address book. "This is the beachhead," said Thomas. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware." On 1 June, CA saw eight variants released.

As well as mailing itself on, the mass-mailer downloads a Trojan called Win32.Fantibag to the infected machine, which is designed to block antivirus software updates. It also blocks Microsoft's update site, windowsupdate.microsoft.com, said Thomas. "This stops the machines protecting themselves," he added. "It means that software can't get updates, that victims can't go for help and that effectively infected PC users are isolated."

The final part of the triumvirate is a second Trojan, called Win32.Mitglieder, which disables firewalls and antivirus software, further lowering the shields, and then hijacks the infected PC for use as part of a botnet. Botnets are groups of networked machines, often numbering in the thousands, that are hired as spam relays, for tracking users' behaviour and for identity theft.

"There is a commodities market for victimised PCs," said Thomas. "Recently we've seen spammers and criminals engaged in fraud paying approximately five cents per machine for compromised PCs."

The latest attack has been very effective. "The stats we have seen show it is still spreading quickly," said Thomas.

Thomas said the virus does not appear to block access to Computer Associates' virus patch update site, but could not offer an explanation as to why this had been missed off the list.

ZDNet UK's Matt Loney reported from London. For more coverage from ZDNet UK, click here.

Advertisement

Talkback 2 comments

    What operating system does thi ...Anonymous -- 04/06/05

    What operating system does this affect? Microsoft Windows. Why do the writer's consistently forget to mention that? "Infects computers" makes it sound like it infects Mac's, OS/2 machines, linux machines, unix machines - whereby it does not. These viruses infect MICROSOFT WINDOWS based machines. Is Microsoft paying the staff at ZDNet to NOT state that obvious fact?

    The last comment is completely ...Anonymous -- 06/06/05

    The last comment is completely out of order. If Mac had 90% marketshare then the virus writers would find the flaws in that os.

    Since most computers out there are Windows, I think failing to state the obvious is not a crime here. I'd love to see how a proprietary giant like Apple would cope if their product was hit as hard and as often as Windows - I bet it'd completely fall apart and apple would stand there blaming the user for not using AV software or scurity updates, just like MS do now.

Add your opinion

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • David Braue Can not-so-smart meters help the NBN?
    It was interesting to witness Conroy's recent enthusiasm to spruik the NBN's role in supporting the Smart Grid, Smart City initiative. What a pity that Conroy hadn't yet seen the damning report from the Victorian auditor-general about that state's smart-meter roll-out.
  • Array Can the Telco Reform Act be win-win?
    In the second of our two programs looking at the Senate Inquiry into the Telecommunications Legislation Amendment Bill, we hear from shareholders, bureaucrats and industry groups.
  • Array Has New Zealand's smiling assassin delivered?
    One year into its tenure, how has the new New Zealand Government performed on issues of technology and telecommunications?
  • More blogs »

Tags

Back to top

Featured