Netsky, Bagle Worm Variants Wave Hits; Stretches Security

A wave of worms that started Friday, gained speed over the weekend, and broke ashore on Monday sent security firms flooding customers with alerts and has corporate users scrambling to update their virus definitions.

As of mid-morning Monday, six new variations of the Bagle worm have been spotted -- Bagle.c, Bagle.d., Bagle.e, Bagle.f., Bagle.g, and Bagle.h -- as well as two new version of the pesky Netsky worm, Netsky.d and Netsky.e.

"This is just an unprecedented number of variations," said Vincent Gullotto, vice president of McAfee's AVERT team, the company's virus research arm.

"We've released more emergency alerts to our customers in the first eight weeks of this year than in all of 2003, and I don't see any signs of it slowing."

Ken Dunham, the director of malicious code research at iDefense, seconded the notion. "It's like a tsunami, with all the variants crashing down at once," he said.The eight new worms since Friday all deliver their payloads masked as file attachments to e-mail messages, although their subject headings, message text, and file attachment names and types differ. All, said Gullotto, include a backdoor component that opens up infected machines to further exploitation or attack, and spread by hijacking e-mail addresses from the infected system and using their own SMTP engine to spawn more copies.

Some have been marked as more serious threats than others by various security firms. Symantec, for instance, tagged Bagle.c, Bagle.f, and Bagle.g with a "2" in its 1 through 5 scale, but marked Bagle.e as a "3." (Symantec uses a slightly different nomenclature for the worm, calling it Beagle rather than Bagel.) Network Associates, however, stuck its "Medium" label on Bagle.c, Bagle.c., and Netsky.d, but gave the others a ranking of only "Low."

"The differences are all due to prevalence," said Gullotto in explaining the varying alert levels.

Netsky.d, discovered Monday, seems to among the fastest spreading of the new wave of worms. According to Finnish security firm F-Secure, Netsky.d is accounting for over 43 percent of all virus samples. Sophos, another security firm, noted Monday that Bagle.c is especially prevalent.

Although not spreading as quickly, Bagle.f and Bagle.g are particularly cunning, according to Sophos. Their payloads are tucked within password-protected ZIP files, which means that most virus scanning software can't detect the worm inside the archived file. The e-mail message, however, contains the password -- another trick the worm writers are using to get users to open the attachment.Although opinions are mixed whether some of the variants of, for instance, Bagle, may have been created by the same hacker -- even Gullotto said the indications are yet unclear -- what is certain is that a battle over malware market share continues between hackers.

"It's interesting to note that a variant of NetSky attempts to remove a recent variant of Bagle, Bagle.c. It looks like a turf war out there, with the bad guys fighting over the infected computers," said Dunham.

Hackers are squabbling over the network of infected machines, added Gullotto, because they're all open to other exploits by virtue of the backdoors that worms now plant. "This is not a new trend, it's been highly used for the last two years, but it's simply not been as prevalent as it is now," he said. "Hackers are slowly but surely pushing out more compromised machines."

And that's not good. "It doesn't bode well for the future," said Gullotto, noting that the larger the pool of compromised machines, the more likely hackers and spammers can turn those systems into proxies, or attack with more virulent tools.

Security firms across the board reacted to the worm wave by rushing out updates to their virus definitions, and urging users to update as soon as possible.The wave is dangerous, Gullotto concluded, because it stretches the resources of an enterprise trying to keep up with all the worms and implement new virus definitions. "It's getting a lot tougher keeping up with [new worms] at the corporate level," he said. "Every single worm is difficult, but put them all together..."