Get Smart about Business Spending
- Related Stories
-
More Bagle, Mytob offshoots wriggle free
May 31, 2005 -
McAfee: Vulnerabilities still worst threat
April 25, 2005 -
Bagle, MySQL worm turn on the heat
January 27, 2005
The variants, which Computer Associates International has given a new name--Glieder--because it says they are so different from previous Bagle worms, combine several elements in a way not seen before. In this staged approach, viruses seed their victims, then disarm them, and then finally exploit them.
"We've seen blended threats before where a virus uses several methods to spread, but not like this" said Chris Thomas, a Computer Associates Australia security architect.
The Win32.Glieder worm spreads using a common mass-mailing method, relying on people to click on an attachment so it e-mails itself on to names in the address book. "This is the beachhead," said Thomas. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware." On Tuesday, CA saw eight variants released.
As well as e-mailing itself, the mass-mailer downloads a Trojan called Win32.Fantibag to the infected machine, which is designed to block antivirus software updates. It also blocks Microsoft's update site, windowsupdate.microsoft.com, said Thomas. "This stops the machines (from) protecting themselves," he added. "It means that software can?t get updates, that victims can't go for help and that effectively infected PC users are isolated."
The final part of the triumvirate is a second Trojan, called Win32.Mitglieder, which disables firewalls and antivirus software, further lowering the shields, and then hijacks the infected PC for use as part of a botnet. Botnets are groups of networked machines, often numbering in the thousands, that are hired as spam relays, for tracking users' behavior and for identity theft.
"There is a commodities market for victimized PCs," Thomas said. "Recently we?ve seen spammers and criminals engaged in fraud, paying approximately five cents per machine for compromised PCs."
The latest attack has been very effective. "The stats we have seen show it is still spreading quickly," said Thomas.
Thomas said the virus does not appear to block access to Computer Associates' virus patch update site, but could not offer an explanation as to why this had been missed off the list.
Matt Loney of ZDNet UK reported from London.
See more CNET content tagged:
Bagle virus, Computer Associates International Inc., variant, antivirus software, victim
A simple solution to slow the spread of email infection is available, and it's used by large service providers like Yahoo. In order to prevent bot spamming, these systems require that you enter a key into a response box that matches a random fuzzy graphic of a word. Since it requires a human brain to discern what word the random graphic represents, it effectively stops automated responses. If this method were incorporated into all email clients, it would not be possible for the virus/worm to automatically send email to everyone in the victim's address book.
no sane individual can conclude that MS deserves the majority of
the blame for this junk happening. Windows and IE are ancient
and hare full of holes, bottom line.
With the built-in (systemic) security in UNIX, there is no excuse
to continue with MS's FAILED system. (yes, I know UNIX is
"ancient" as well, but it's security advantage over Windows is
unquestionable).
I hate to sound like another "GET A MAC" guy, but these
problems with Windows security are ridiculous.
I feel sorry for folks who have to deal with this.
deserves the majority of the blame for this junk happening."
I also apologize for using a double negative. I'll got to bed now.
watch, and stop gloating over the fact that they're not affected.
So they can gloat if they want. I gloat every time I prove you can get more done for less on a PC. Fair is fair.
- This could affect OSX too.
- by Loco_Man June 2, 2005 6:14 PM PDT
- This worm while it does take advantage of windows vulnerabilities it still depends on users clicking on attachments. The only way to really prevent it is to not let people install programs, and who would really want a computer like that?.
- Like this Reply to this comment
-
-
- This should have been
- by Loco_Man June 2, 2005 8:01 PM PDT
- as a response to Dr. Dude's comment above.. :)
- Like this
-
- I'm not gloating.
- by June 3, 2005 7:54 AM PDT
- Loco, are you saying that if 90% of users were running OS X and
- Like this
-
(11 Comments)I do agree that OSX and Linux offer an extra layer of security because the user had to use his/her root/admin password to install anything... but not too long ago there was a mass mailing worm that sent itself inside a password protected zip file (antivirus programs can't see inside those without the password)... the password was attached as an image in the email... people had to look at the password, open the zip file, input the 4 or 5 digits numeric password and then run the executable file inside... and lots of people still did and the worm spread quite a bit.
virus writers made these executable in UNIX, then the problem
would still exist to the extent it does under Windows? Sure,
there will always be people who click on an attachment and give
their admin pw when asked then get infected. But no where
near the problem we have today because Windows allows these
things to run without anyone noticing because everyone is an
admin running as root user (or whatever the equivalent is).
I don't mean to gloat, really. I just think more pressure on MS
(who is acting as a huge monopoly and stepping all over its
customers) is in order. People who act as apologists for MS have
their head in the sand.
Computers are utilitarian machines. Due to the lack of attention
paid by MS to security (real, deep down security), the utility of
the majority of these machines is severely diminished. I just
want to see less PC drones and more PC activists.