For IT managers, these worms present new difficulties, given that they dont do any noticeable damage to infected machines but, rather, steal sensitive corporate passwords and other data. Many of these worms come from spoofed addresses that are likely familiar to the recipient. Experts recommend that in addition to blocking executable files at the mail gateway, administrators encourage their users to confirm any attachment they werent expecting, even from people they know. Administrators can also look for spikes in traffic on unusual ports or client machines sending large amounts of mail messages."Its certainly interesting to see [Bagle.A] mirror the techniques in SoBig. It could be that virus writers are using Net users as beta testers before they build the very big ones. Its very plausible that its more than just a set of script kiddies doing this," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., in Islandia, N.Y. "Were still peeling back the layers of the onion, and people still need to be vigilant that there will be other ones coming. This could be ushering in a new era of malware," Hameroff said. As with last years constant stream of SoBig variants, Hameroff and others say that new and improved versions of Bagle.A or as-yet-unknown worms are on the horizon. "We could be looking at additional attacks and malware of this sort in 2004. Weve seen a trend toward successful worms and attacks," said Ken Dunham, malicious-code manager at iDefense. "This is really a new wave."
Whether or not these worms are being released by traditional organized crime groups is of less interest to experts than the fact that the worm creators are learning from their mistakes and becoming more proficient.