Late at night on February 28, 2005,
two versions of the Bagle virus
were released onto the Internet. That event, in itself, wasn't too remarkable, given that the source code for the Bagle virus is widely available on the Internet today, and we've seen about 50 variations of Bagle since its inception in early 2004. However, the two new variations of Bagle were responsible for spreading four new versions of a Trojan horse. Oddly, these Trojans don't include mechanisms to spread beyond the infected computers, which seems counterintuitive (at first).
Defies viral definition, perhaps
My own definition of a computer virus includes the mention that the malicious code can't spread by itself. To spread, someone has to e-mail the infected code or otherwise share those files with others. Over the last five years, we've grown used to automatic mailers combined within the infected e-mail attachment viruses such as I Love You. The automatic mailers are little SMTP engines that send out perfect copies of themselves--viral-infected e-mail sent to addresses harvested from infected computers. And we've also grown used to the computer worm, malicious code that by definition exists to move from computer to computer, often scanning the Internet for vulnerable systems to infect. So, how bad is a viral e-mail message with a Trojan horse that can't spread? Plenty bad.
So, how bad is a viral e-mail message with a Trojan horse that can't spread? Plenty bad.
Say, for example, that one of these new Bagle viruses hits company A. The initial virus (the one with the automatic remailer) need hit only one computer inside that company. The infected computer would send nonreproducing copies of the Trojan horse to every computer within the company's network, then stop. In what's called a wave attack, this event would not rise to the level of a full-blown virus panic, as we've seen before, with multiple copies of virus-produced e-mail surging through the system and clogging e-mail servers for hours on end. Rather, this virus would infect many machines quickly, then cease to be a nuisance. This version of Bagle, like previous versions, attempts to turn off antivirus and firewall security, so once it is implanted on as many desktops as it can infect, these four Bagle-related Trojans attempt to download some mystery program onto the infected computer from a long list of possible hosts. The hosts themselves are supplied by yet another compromised or source computer. It's the layering of this latest Bagle attack that makes it interesting.
Shades of Sobig.f
We've seen this two-step process before. In August 2003, the Sobig.f virus spread rapidly to as many computers as it could over a five-day period, then attempted to contact 1 of 20 compromised computers worldwide at a hard-coded date and hour in order to download additional code. Fortunately, with just hours to spare, several antivirus companies cracked the encrypted code within Sobig.f, revealing the compromised source computers' IP addresses. Worldwide law enforcement was then able shut down all but two or three computers before the appointed download hour. What we saw downloaded from the remaining, active computers was a link to a porn site, but I think that might have been filler for something else.
There remains one weak link in this two-step virus theory: the download source site or sites are...easy for law enforcement to find and shut down.
The ongoing speculation with Sobig's purpose, and now with Bagle, is that the virus writers responsible for these viruses were paid to create a platform on the Internet to distribute code (malicious or commercial in nature) to as many computers hooked to the Internet as possible. A spammer could then use these infected computers as an anonymous remailer for his wares. An identity thief could use it to download a keystroke logger and harvest thousands of passwords and active credit card numbers. Or worse, though unlikely, someone could be planning a devastating computer virus that would download to the infected computers and render them unusable.
Aside from the requirement that you click the e-mail attachment (which, I hope, no one still does), there remains one weak link in this two-step viral theory: the download source site or sites are hard-coded within the virus, making them easy for law enforcement to find and shut down. With Sobig.f, the data was encrypted; no word yet on whether the new Bagles encrypted their sites, but it seems this time Bagle used a long list of intermediary sites between the infected computers and the true source of the download. Nonetheless, antivirus vendors were able to work directly with the ISP and quickly shut down the source site supplying those intermediary sites. I think we're close to the day when someone figures out a way to obscure the download site information even better.
Although Bagle attempts to shut down your desktop security, a good antivirus app and firewall are still your best protection (most antivirus and firewall providers have generic signature files in place to stop the latest variations of Bagle). I recommend two products. For an antivirus app with a good firewall, I recommend Trend Micro PC-cillin Internet Security 2005 (note that this product will not work with Firefox, however). The other product I recommend is ZoneAlarm Internet Security 5.5, which includes a great firewall and bundles in the fast and efficient antivirus engine from Computer Associates.
Will virus writers ever get the upper hand, or will antivirus companies be able to keep up? Talk back to me.