While the outbreak last week of the Bagle.A virus was one of the least troublesome in recent memory, security experts worry that the virus—following in the infamous footsteps of 2003s SoBig worms—is a harbinger of more-sophisticated attacks to come.
Many in the security community say the SoBig family—and possibly Bagle.A—are the work of an organized group of criminals with bigger plans than merely clogging in-boxes and annoying IT staffs. (Bagle.A infected about 19,000 PCs worldwide and fewer than 800 in North America, according to Trend Micro Inc.)
SoBig.F and Bagle.A have the capability to log users keystrokes, enabling the theft of passwords and other sensitive data, and are programmed to set up proxies on infected machines for the purpose of sending spam.
Experts say these attributes, as well as evidence gathered by law enforcement, indicate that these worms are being used as tools for large-scale identity theft and financial fraud.
"SoBig.F is the one you can point to as the first along these lines," said John Frazzini, vice president of intelligence operations at iDefense Inc., a security intelligence company based in Reston, Va., and a former federal computer crimes investigator. "Bagle is following these same motives and methods. Theyre being used to further massive financial crimes, trying to achieve a criminal outcome."
Whoever is behind these worms, security insiders say, is using data retrieved from infected machines to commit bank and credit card fraud, perhaps in small increments against thousands and thousands of victims. They also can use the proxies the worms install to send out massive amounts of spam messages. The various fake e-mail messages purporting to come from PayPal, eBay Inc. and a variety of banks asking for passwords and account numbers are being generated by these same proxies, the experts say.