Security threats Toolkit

Bagle author releases 'dangerous' assembler code

Tags:
Variant,
Security,
Author,
Distribution

Munir Kotadia ZDNet.co.uk

Published: 05 Jul 2004 13:30 BST

The author of Bagle started distributing two new variants and the mass-mailing worm's source code on Sunday, which could trigger another summer of misery for Windows users

The Bagle worm first appeared in January as an email attachment and within months there were more than 25 variants.

Infected PCs download a Trojan that effectively enlists that computer into the worm author's Zombie army, which can be used to distribute spam and other malware and to launch DDoS attacks.

This weekend saw not only two new versions of the Bagle worm released, but also what appears to be the worm's original source code.

Mikko Hyppönen, director of antivirus research at F-Secure, said he believes the source code is genuine but, worryingly, he said, it is written in pure assembler, which indicates the author responsible is a serious programmer and not a script kiddie.

"Most email worms are written in C or partly in C and partly in assembler. There are not that many people that are this good in assembler any more, so it is a serious programmer behind it," said Hyppönen.

Hyppönen said that although the assembly language is difficult to master, it will not take an expert to modify the code and create new Bagle variants, so Windows administrators should expect a busy summer.

"It is trivial to modify things like which port the backdoor is using or what kind of emails it sends. I am sure this will result in a new outbreak of Bagle variants -- like we saw in February and March," Hyppönen said.

Richard Starnes, vice president of security industry group ISSA UK, said the source code is "dangerous" but noted that it could hold clues that will help law enforcement agencies track down the author.

Starnes said that because the source code contains the author's comments -- generally designed to help other people understand what different sections of the code are doing -- it could narrow the list of suspects.

"If you give 10 people a specification for a program, you are going to get ten different programs. There will be similarities, but they will have different methods of operation -- such as how they name variables, how they code, how they comment on the code. It is not unlike a fingerprint," Starnes said.

However, another reason for releasing the source code could be the author trying to reduce the burden of evidence against him or her.

F-Secure's Hyppönen said another theory is that the author is spreading the source code to as many PCs as possible so that if he is arrested, he won't be the only person to have that code on his computer.

The decision to distribute the source code could have been triggered by an announcement on Friday that the UK, US and Australian governments have agreed to work together in the fight against spam distribution.

In January, the source code of MyDoom started spreading a few days after Microsoft and the SCO Group put up a combined $500,000 (£273,030) reward for catching the virus's author.

"This might be a similar tactic. On Friday, the perfect evidence against the author of Bagle was that his computer contained the original source code. Today, that is no longer the case," said Hyppönen.