While the outbreak last week of the Bagle.A virus was one of the least troublesome in recent memory, security experts worry that the virus—following in the infamous footsteps of 2003s SoBig worms—is a harbinger of more-sophisticated attacks to come.
Many in the security community say the SoBig family—and possibly Bagle.A—are the work of an organized group of criminals with bigger plans than merely clogging in-boxes and annoying IT staffs. (Bagle.A infected about 19,000 PCs worldwide and fewer than 800 in North America, according to Trend Micro Inc.)
SoBig.F and Bagle.A have the capability to log users keystrokes, enabling the theft of passwords and other sensitive data, and are programmed to set up proxies on infected machines for the purpose of sending spam.
Experts say these attributes, as well as evidence gathered by law enforcement, indicate that these worms are being used as tools for large-scale identity theft and financial fraud.
“SoBig.F is the one you can point to as the first along these lines,” said John Frazzini, vice president of intelligence operations at iDefense Inc., a security intelligence company based in Reston, Va., and a former federal computer crimes investigator. “Bagle is following these same motives and methods. Theyre being used to further massive financial crimes, trying to achieve a criminal outcome.”
Whoever is behind these worms, security insiders say, is using data retrieved from infected machines to commit bank and credit card fraud, perhaps in small increments against thousands and thousands of victims. They also can use the proxies the worms install to send out massive amounts of spam messages. The various fake e-mail messages purporting to come from PayPal, eBay Inc. and a variety of banks asking for passwords and account numbers are being generated by these same proxies, the experts say.
For IT managers, these worms present new difficulties, given that they dont do any noticeable damage to infected machines but, rather, steal sensitive corporate passwords and other data. Many of these worms come from spoofed addresses that are likely familiar to the recipient. Experts recommend that in addition to blocking executable files at the mail gateway, administrators encourage their users to confirm any attachment they werent expecting, even from people they know.
Administrators can also look for spikes in traffic on unusual ports or client machines sending large amounts of mail messages.
Whether or not these worms are being released by traditional organized crime groups is of less interest to experts than the fact that the worm creators are learning from their mistakes and becoming more proficient.
“Its certainly interesting to see [Bagle.A] mirror the techniques in SoBig. It could be that virus writers are using Net users as beta testers before they build the very big ones. Its very plausible that its more than just a set of script kiddies doing this,” said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., in Islandia, N.Y.
“Were still peeling back the layers of the onion, and people still need to be vigilant that there will be other ones coming. This could be ushering in a new era of malware,” Hameroff said.
As with last years constant stream of SoBig variants, Hameroff and others say that new and improved versions of Bagle.A or as-yet-unknown worms are on the horizon.
“We could be looking at additional attacks and malware of this sort in 2004. Weve seen a trend toward successful worms and attacks,” said Ken Dunham, malicious-code manager at iDefense. “This is really a new wave.”