With a little help from a lesser-known piece of malicious software code, the Glieder Trojan, a wave of Bagle computer worm variants spread successfully today, disabling and blocking antivirus and other security software and spreading in spam-like fashion.
Security experts said as many as 15 Bagle variants were spreading in a coordinated attack that included malicious code, or malware, that evades antivirus protection. Although the Glieder Trojans and Bagle worms, which appeared to be working in tandem, required user interaction to infect computers, such efforts have been effective in the past with previous outbreaks of Bagle, MyDoom and other worms.
Today’s attack — which blocked as many as 123 security sites and accessed more than 154 rogue Web sites that facilitated the outbreak — highlighted the growing danger of “wave” attacks that involve an onslaught of slightly different variants.
“With the number of variants, it seems more like a tsunami than a wave,” iDefense director of malicious code Ken Dunham told TechNewsWorld, adding that the wave attacks are a growing trend that began about a year ago.
Dunham — who reported that multiple, minor variants of both Glieder and Bagle were rapidly seeded and spammed on the Internet to start the attack — said the number of variants, number of security sites blocked and number of malicious sites used for the attack indicate it was no simple task.
“They’re clearly very sophisticated and organized in what they’re doing,” he said, referring to a large number of different codes getting tested, updated and heavily spammed for the attack.
Catching a Wave
It appeared that the Glieder Trojans — described as “very smart back doors” — were neutralizing computers by disabling antivirus protection, clearing the way for the Bagle variants, which were being spread and controlled through more than 150 remote Web sites.
Dunham said the wave attacks have been on the increase for the last 13 months. Although the threat has been eased by the availability of source code to worms such as MyDoom and Bagle, they still are creating problems for antivirus software and its vendors.
“The value of a wave attack is that it increases the success [of worms],” he said. “If you have many different, minor variants and you catch one, the others won’t necessarily be caught by that [antivirus] signature. This can cause antivirus companies to become overwhelmed and thus slow their response capability.”
Dunham said some of the variants act as decoys and are tested to be recognized by antivirus defenses, while others are tested to evade it.
Future Is Now
Message Labs senior antivirus researcher Maksym Schipka told TechNewsWorld that the outbreak appeared to be dying down.
He reported that the first copy of the worm was followed by a variant about three hours later. Different versions of the worm came next five hours later, then two hours later, and then again four hours later.
“The amount of copies is pretty noticeable,” Schipka said, referring to 11,240 copies of the worms detected in sample e-mails this morning.
Referring to recent estimates of 130 new viruses per day, Schipka said the onslaught of variants was already affecting some antivirus providers.
“Some smaller companies are already struggling,” he said. “It’s not the future; it’s happening now.”