Bagle Worms Sneak Through Defenses

The two new versions of Bagle, tagged as Bagle.n and Bagle.o, were spotted over the weekend. They use several new tactics to squeeze by anti-virus defenses, among them packaging their payloads in password-protected .rar compressed files.

Unlike earlier editions of Bagle, which tried to circumvent anti-virus software by placing the worm payload into an encrypted .zip archive, the new Bagles may also use a different archive format, .rar, a file type that consumers are unfamiliar with and enterprises may not block at the gateway.

Additionally, Bagle.n and Bagle.o include the password to the .rar and .zip files in the message not as text, but as an embedded graphic, a tactic often used to discourage automated e-mail account creation by spammers or by Web sites to prevent spam bots from harvesting e-mail addresses.

When Bagle first turned to encrypted .zip files to disguise its payloads, anti-virus firms reacted by scanning the message for the in-text password. Shifting to an image of the password may make it tougher for anti-virus programs to unlock the .rar file and examine its contents before deciding whether it includes malicious code.

id
unit-1659132512259
type
Sponsored post

Some security firms, however, said that they've already made adjustments.

"The worm's author is sneakily trying to make it more difficult for anti-virus products to scan inside the password-protected .zip or .rar," said Graham Cluley, senior technology consultant for Sophos in a statement. "However, Sophos's e-mail gateway products can still intercept and protect against these worms before they reach users' desktops."

The new Bagles may also be harder to eradicate because they randomly attach their code to 32-bit executables on the infected machine's hard drive -- including, for instance, Microsoft Word and Internet Explorer -- and then re-infect a supposedly cleaned system once the executable runs.

Bagle.n and Bagle.o share most of traits of the now-known Bagle worm family, including opening a backdoor port that may be used to drop additional code onto an infected machine, propagating via e-mail -- with a wide variety of subject headings -- and attempting to turn off most security software found on the system.

Anti-virus firms have updated their definition files to detect and destroy the new variants, but the worms are serious enough to have garnered "medium" threat levels across the board.

This story courtesy of TechWeb .