ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Online business Toolkit

Bugbear rise knocks out Klez

Matthew Broersma ZDNet.co.uk

Published: 03 Oct 2002 16:05 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The Bugbear worm is shaping up into the most serious Internet threat in months, according to security researchers, as it surpassed the lingering Klez.H to become the fastest-spreading virus of the moment. Antivirus company Symantec on Wednesday upgraded the virus to a danger rating of "4" out of a possible "5".

The rise of Bugbear to the top of the virus charts is partly due to the speed at which it is spreading, but also in part to an unexpected effect that it is having.

Email and security service provider MessageLabs intercepted more than 21,000 copies of the virus on Thursday, compared with nearly 6,000 copies of Klez.H, which has topped the virus charts sporadically since February. This is partly because of Bugbear's rapid rise, but MessageLabs said that in addition Klez activity has suddenly dropped to about a quarter of its usual levels.

"With all the publicity around Bugbear, people are finally getting around to updating their antivirus software, so Klez is suddenly falling," MessageLabs chief technical officer Mark Sunner told ZDNet UK. "Klez has been going forever and ever, and now it's been killed off."

Meanwhile, the company predicted that Bugbear has probably not peaked yet.

Threat of second-wave attacks
Sunner said that the virus' growing presence poses a new threat. Since Bugbear leaves a backdoor program on infected machines, there could now be thousands of computers around the world susceptible to further attacks. "All a hacker has to do is point a browser at that machine and they can get at everything on the hard disk," Sunner said. "Because Bugbear has received so much publicity, all the hackers will be riding onto this. There is a plethora of machines up for grabs."

Such vulnerable machines can be used, for example, to overwhelm a company's servers in what is called a distributed denial-of-service attack.

Known technically as W32.Bugbear or I-Worm.Tanatos, experts now believe the virus to be a modified version of the earlier Badtrans worm. Besides installing the backdoor, the worm disables various antivirus measures and any personal firewall that might be present, and installs a program for recording keystrokes -- which can log any passwords the user types in. It scours the computer for email addresses, to which it sends infected messages via its own email engine. The virus only affects Windows machines.

A flaw in MIME (the multipurpose Internet mail extensions) lets a malicious program attached to an email message execute when the text of the message appears in Outlook. The software problem was patched by Microsoft almost 18 months ago, but some users apparently have not updated their computers.

However, even with the patch, if a user clicks on the attachment he can still be infected.

Clever social engineering
One of the factors that has made Bugbear spread so quickly is the way it disguises infected messages. Besides the common method of sending a message with a randomly-selected heading and "From" field, the virus can also create a message as a reply or forward of an existing message.

"If you're receiving an old email from someone who you know, it's confusing, and you're likely to click on the attachment to find out what's going on," said Sunner. "It's a good social engineering trick."

The worm began infecting computers on Sunday, originating in the Asia-Pacific region, according to MessageLabs. That area is still its biggest concentration, and because the company has fewer customers in the region, there are probably many more uncounted viruses.

Security experts say that the biggest factor in the continuing danger from Bugbear, Klez.H and other worms is that users aren't bothering to update their virus protection -- and this is particularly true of home users.

Protection
Antivirus companies recommend that users download Microsoft's Outlook patch, update their antivirus programs and avoid clicking on mysterious attachments unless the sender confirms it is safe.

Eugene Kaspersky, head of Kaspersky Labs, recommends updating antivirus software weekly or daily, treating any email attachments with suspicion and paying attention to warnings from antivirus companies. "If you follow these rules, you will be 90 percent protected," he said in a recent interview with ZDNet UK.

For instructions on protecting your computer from Bugbear, see ZDNet UK's Help & HowTo: Bugbear.

For antivirus vendor instructions, see Central Command, F-Secure, McAfee, Sophos and Symantec.

CNET News.com's Robert Lemos contributed to this report.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
39 out of 74 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Online business



Company/Topic Alerts

Create a new alert from the list below:




Related Jobs

Technical Consultant - Symantec / Veritas Netbackup / Enterprise Vault

Systems Engineer - Presales

Network and Systems Administrator

Sentry Posts Blog

The Technological Singularity

Are we approaching a point when machines may wake up and become self or seemingly self aware? Vernor Vinge in 1993 seemed to think so. He refered to this event as the "technological... More

2 comments

Mobile Operating Systems: MOPS At a Gl...

Mobile Operating Systems: At a Glance Author: Eric Everson, Founder MyMobiSafe Since posting my blog exposing the security Google G1 security issue, I have received a few emails... More

Post a comment

Met Police catch test cheats

I saw the funny side of this press release, I can just imagine the two people sitting in the car giving the answers to the questions. Why they had wires running from under the bonnet... More

Post a comment

Google Chrome

Roundup: Full coverage of the Google Chrome launch

The search giant has launched a beta of its own open-source browser, sending a clear challenge to Microsoft in the way it lets users work with applications More

Blog: Google Chrome has Microsoft's code inside, says MS manager

And furthermore, he says, that's a good thing... More

Blog: Google Chrome — nine things we've found since launch

Google must be very happy with the coverage Chrome has gathered. But it's not all good news... More