You are here: silicon.com > Software > Malware

Malware

Virus warning: Bagle variant has alarming attack strategy

The worm has turned (into a Glieder)...

Tags: glieder, virus, worm, trojan

By Matt Loney

Published: 3 June 2005 09:35 BST

The latest variants of the Bagle worm have alarmed antivirus vendors because of the multi-stage process they use to attack PCs.

The variants, which Computer Associates (CA) has given a new name - Glieder - because it says they are so different from previous Bagle worms, combine several elements in a way not seen before. In this staged approached, viruses seed their victims, then disarm them and then finally exploit them.

Computer Associates Australia security architect Chris Thomas said: "We've seen blended threats before where a virus uses several methods to spread but not like this."

The Win32.Glieder worm spreads using a common mass-mailing method, relying on users to click on an attachment so it email itself on to names in the address book. "This is the beachhead," said Thomas. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware." On 1 June, CA saw eight variants released.

As well as mailing itself on, the mass-mailer downloads a Trojan called Win32.Fantibag to the infected machine, which is designed to block antivirus software updates. It also blocks Microsoft's update site, windowsupdate.microsoft.com, said Thomas. "This stops the machines protecting themselves," he added. "It means that software can’t get updates, that victims can't go for help and that effectively infected PC users are isolated."

The final part of the triumvirate is a second Trojan, called Win32.Mitglieder, which disables firewalls and antivirus software, further lowering the shields, and then hijacks the infected PC for use as part of a botnet. Botnets are groups of networked machines, often numbered in the thousands, which are hired as spam relays, for tracking users' behaviour and for identity theft.

"There is a commodities market for victimised PCs," said Thomas. "Recently we’ve seen spammers and criminals engaged in fraud paying approximately five cents (3p) per machine for compromised PCs."

The latest attack has been very effective. "The stats we have seen show it is still spreading quickly," said Thomas.

Thomas said the virus does not appear to block access to CA's virus patch update site, but could not offer an explanation as to why this had been missed off the list.

Matt Loney writes for ZDNet UK

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

  • Jobs
Service and Applications Engineer - West Midlands - 36,000

Two vacancies have arisen for either a CNC Service or Applications Engineer to work within a huge market leader in CNC machine technology based in ...

IMMEDIATE DESKTOP SUPPORT OPPORTUNITY WEST LONDON 25-30K

MS Administration, data Recovery and Antivirus Procedures, Telephony Systems, MS 2003 & NT, MS Active Directory 2000/2003 and MS Exchange messaging ...

Programme Management Office Consultant

Programme Management Office Consultant London 30,000 60,000 Programme Control Services (PCS) is a specialist group of resources within Accenture ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.





Quick Sitemap Links: