Researchers at anti-virus specialist F-Secure, based in Helsinki, Finland, described the attack, dubbed "SpamTool.Win32.Bagle.g," and said it involves a new set of URLs being sent to machines infected with Bagle.
The variant is meant to use the computers to launch waves of spam messages and involves a download link that provides a new, uniquely repacked version of the attempted spam execution every 50 seconds or so, according to F-Secure.
Bagle first emerged over two years ago, and lingers on many thousands of computers today, by most estimates.
The new attack involved at least five different URLs used to distribute the new SpamTool execution, at least four of which have already been shut down, F-Secure said.
Mikko Hypponen, chief research officer for F-Secure, said his company has been in contact with the U.S.-based ISP that is hosting the remaining live site, and indicated that the company has promised to take the URL offline.
Computers infected with Bagle, one of the most sophisticated e-mail-borne attacks launched over the last few years, are basically wide open to such executions. Theres no reason to believe that the emergence of related threats will slow down anytime soon, Hypponen said.
"This by itself is nothing new. Weve seen Bagle do this for a long time, as whenever a virus writer releases a new version they can instantly upgrade all the existing infected machines to the new version," Hypponen said. "One nasty trick built into these types of attacks is the inclusion of many URLs not involved with distributing Bagle to serve as red herrings and throw people off track; its making it very hard for anti-malware companies to shut them down."
Hypponen said the sheer volume of URLs included in such Bagle variants makes it almost impossible for researchers to chase down every site to see if it is a legitimate threat. He said administrators of sites used to cloak the viruses are receiving heavy volume from infected computers looking to download the variants.
While the Bagle virus originally appeared to be fairly straightforward when first detected in January 2004, it has matured into what F-Secure calls an assemblage of modular components, which can be used in different ways to carry out different types of attacks. Some versions merely invade computers in search of fresh e-mail addresses, while others, such as the new SpamTool variant, are used to send out spam or other viruses.
The SpamTool.Win32.Bagle.g threat is attempting to send out two specific spam campaigns and carries a JPG image file meant to infect unprotected computers with the virus, F-Secure said.
"Its like Bagle has a client/server architecture built into its virus code, which leads me to believe that this is being carried out in a very professional manner by people who go to work from 9-to-5 like office workers," Hypponen said. "Its a real game of cat and mouse, as whatever we build they find a way to circumvent, and obviously theyve got some financial incentive to do so."
"Until someone in law enforcement tracks the Bagle gang down, this will continue to be a serious problem," he said.