Advertisement
Promo

Security threats Toolkit

Three-stage Bagle variants alarm experts

Matt Loney ZDNet.co.uk

Published: 02 Jun 2005 12:10 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The latest variants of the Bagle worm have alarmed antivirus vendors because of the multi-stage process they use to attack PCs.

The variants, which Computer Associates has given a new name — Glieder — because it says they are so different from previous Bagle worms, combine several elements in a way not seen before. In this staged approached, viruses seed their victims, then disarm them, and then finally exploit them.

"We've seen blended threats before where a virus uses several methods to spread," said Computer Associates Australia security architect Chris Thomas, "but not like this."

The Win32.Glieder worm spreads using a common mass-mailing method, relying on users to click on an attachment so it email itself on to names in the address book. "This is the beachhead," said Thomas. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware." On 1 June, CA saw eight variants released.

As well as mailing itself on, the mass-mailer downloads a Trojan called Win32.Fantibag to the infected machine, which is designed to block antivirus software updates. It also blocks Microsoft's update site, windowsupdate.microsoft.com, said Thomas. "This stops the machines protecting themselves," he added. "It means that software can’t get updates, that victims can't go for help and that effectively infected PC users are isolated."

The final part of the triumvirate is a second Trojan, called Win32.Mitglieder, which disables firewalls and antivirus software, further lowering the shields, and then hijacks the infected PC for use as part of a botnet. Botnets are groups of networked machines, often numbering in the thousands, that are hired as spam relays, for tracking users' behaviour and for identity theft.

"There is a commodities market for victimised PCs," said Thomas. "Recently we’ve seen spammers and criminals engaged in fraud paying approximately five cents (3p) per machine for compromised PCs."

The latest attack has been very effective. "The stats we have seen show it is still spreading quickly," said Thomas.

Thomas said the virus does not appear to block access to Computer Associates' virus patch update site, but could not offer an explanation as to why this had been missed off the list.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
68 out of 143 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:





Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters