Version: 2008
  • On The Insider: Britney's Bikini-Clad Top 10

June 2, 2005 7:46 AM PDT

Bagle variants punch, punch and punch again

  • 11 comments
The latest variants of the Bagle worm have alarmed antivirus companies because of the multiple-stage process they use to attack PCs.

The variants, which Computer Associates International has given a new name--Glieder--because it says they are so different from previous Bagle worms, combine several elements in a way not seen before. In this staged approach, viruses seed their victims, then disarm them, and then finally exploit them.

"We've seen blended threats before where a virus uses several methods to spread, but not like this" said Chris Thomas, a Computer Associates Australia security architect.

The Win32.Glieder worm spreads using a common mass-mailing method, relying on people to click on an attachment so it e-mails itself on to names in the address book. "This is the beachhead," said Thomas. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware." On Tuesday, CA saw eight variants released.

As well as e-mailing itself, the mass-mailer downloads a Trojan called Win32.Fantibag to the infected machine, which is designed to block antivirus software updates. It also blocks Microsoft's update site, windowsupdate.microsoft.com, said Thomas. "This stops the machines (from) protecting themselves," he added. "It means that software can?t get updates, that victims can't go for help and that effectively infected PC users are isolated."

The final part of the triumvirate is a second Trojan, called Win32.Mitglieder, which disables firewalls and antivirus software, further lowering the shields, and then hijacks the infected PC for use as part of a botnet. Botnets are groups of networked machines, often numbering in the thousands, that are hired as spam relays, for tracking users' behavior and for identity theft.

"There is a commodities market for victimized PCs," Thomas said. "Recently we?ve seen spammers and criminals engaged in fraud, paying approximately five cents per machine for compromised PCs."

The latest attack has been very effective. "The stats we have seen show it is still spreading quickly," said Thomas.

Thomas said the virus does not appear to block access to Computer Associates' virus patch update site, but could not offer an explanation as to why this had been missed off the list.

Matt Loney of ZDNet UK reported from London.

See more CNET content tagged:
Bagle virus, Computer Associates International Inc., variant, antivirus software, victim

Add a Comment (Log in or register) (11 Comments)
  • prev
  • 1
  • next
Pathetic: 10 Years Later...
by Stating June 2, 2005 9:04 AM PDT
It is pathetic that 10 years have passed since email entered the mainstream and we are STILL dealing with this virus/worm/malware crud. We've gone from Intel 286 computers with 640K of ram to multi-gigahertz, multi-megabyte systems and the infection problem is bigger than ever. By now we should have artificial intelligence systems providing an impenetrable fortress.

A simple solution to slow the spread of email infection is available, and it's used by large service providers like Yahoo. In order to prevent bot spamming, these systems require that you enter a key into a response box that matches a random fuzzy graphic of a word. Since it requires a human brain to discern what word the random graphic represents, it effectively stops automated responses. If this method were incorporated into all email clients, it would not be possible for the virus/worm to automatically send email to everyone in the victim's address book.
Reply to this comment
10 Year later and there IS a solution
by June 2, 2005 1:54 PM PDT
Sorry, it has to be said; OS X. While no OS is 100% bullet proof,
no sane individual can conclude that MS deserves the majority of
the blame for this junk happening. Windows and IE are ancient
and hare full of holes, bottom line.

With the built-in (systemic) security in UNIX, there is no excuse
to continue with MS's FAILED system. (yes, I know UNIX is
"ancient" as well, but it's security advantage over Windows is
unquestionable).

I hate to sound like another "GET A MAC" guy, but these
problems with Windows security are ridiculous.

I feel sorry for folks who have to deal with this.
Reply to this comment
EDIT...
by June 2, 2005 1:57 PM PDT
I meant to say: "no sane individual can*not* conclude that MS
deserves the majority of the blame for this junk happening."

I also apologize for using a double negative. I'll got to bed now.
Feel sorry for me
by Andrew J Glina June 2, 2005 8:40 PM PDT
I have to put up with you.
10 Years later and the OS wars stil continue
by aabcdefghij987654321 June 3, 2005 12:31 PM PDT
And the adherents of whichever OS (today it's the Mac but that's just today) still spew nonsense and garbage as their justification for disliking the dominant OS.
Oh, so what?
by rbannon June 2, 2005 2:11 PM PDT
People just like M$, so I think Mac users should just sit back and
watch, and stop gloating over the fact that they're not affected.
Reply to this comment
Kind of
by catchall June 2, 2005 3:00 PM PDT
It is not that I like MS, or dislike them. I have a job to do, and say what you will, it can't get done on a Mac. (The guy I replaced tried; after spending way too much and getting way too little, the company axed him)
So they can gloat if they want. I gloat every time I prove you can get more done for less on a PC. Fair is fair.
View reply
This could affect OSX too.
by Loco_Man June 2, 2005 6:14 PM PDT
This worm while it does take advantage of windows vulnerabilities it still depends on users clicking on attachments. The only way to really prevent it is to not let people install programs, and who would really want a computer like that?.

I do agree that OSX and Linux offer an extra layer of security because the user had to use his/her root/admin password to install anything... but not too long ago there was a mass mailing worm that sent itself inside a password protected zip file (antivirus programs can't see inside those without the password)... the password was attached as an image in the email... people had to look at the password, open the zip file, input the 4 or 5 digits numeric password and then run the executable file inside... and lots of people still did and the worm spread quite a bit.
Reply to this comment
This should have been
by Loco_Man June 2, 2005 8:01 PM PDT
as a response to Dr. Dude's comment above.. :)
I'm not gloating.
by June 3, 2005 7:54 AM PDT
Loco, are you saying that if 90% of users were running OS X and
virus writers made these executable in UNIX, then the problem
would still exist to the extent it does under Windows? Sure,
there will always be people who click on an attachment and give
their admin pw when asked then get infected. But no where
near the problem we have today because Windows allows these
things to run without anyone noticing because everyone is an
admin running as root user (or whatever the equivalent is).

I don't mean to gloat, really. I just think more pressure on MS
(who is acting as a huge monopoly and stepping all over its
customers) is in order. People who act as apologists for MS have
their head in the sand.

Computers are utilitarian machines. Due to the lack of attention
paid by MS to security (real, deep down security), the utility of
the majority of these machines is severely diminished. I just
want to see less PC drones and more PC activists.
(11 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Dow Jones Industrials (0.00%) 0.00 10,433.71
S&P 500 (0.00%) 0.00 1,105.65
NASDAQ (0.00%) 0.00 2,169.18
CNET TECH (0.00%) 0.00 1,599.12
  Symbol Lookup
advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right