The Bagle virus is not new. Since its inception in January 2004, about 188 variants have fanned out across the Internet. And although it may not be threatening your desktop or making headlines currently, Bagle is perhaps the most significant new virus to emerge within the last few years, with its authors manipulating its base code to include new and ever more dangerous payloads. Antivirus vendor F-Secure now reports that Bagle.ge and Bagle.gf are packing the means to hide new sorts of nasties inside your computer, and current antivirus software won't necessarily save you.
|Bagle.ge and Bagle.gf pack the means to hide new sorts of nasties inside your computer, and current antivirus software won't necessarily save you.|
When deciding to name a virus, researchers look at the underlying code, how it's written, organised and sometimes, what it does. If they've seen the structure before, then they name it as part of a larger family. In the case of Bagle, what it does has morphed significantly in the last two and a half years, but the underlying code structure has remained the same. That leads researchers to conclude that the variants (lettered a through z, then aa through az, and so on, and which now include families of Bagle-inspired Trojan horses) are all descendants of the same base source code and were probably written by the same group of people. Antivirus vendor Kaspersky offers a detailed Bagle timeline here. But you have to go beyond the letters to understand what's unique about Bagle.
Bagle is really a suite of malicious code. Security vendor CA's Scott Molenkamp and Hamish O'Dea offer a detailed diagram of how the various pieces all fit together. There's a part of the code that's a successful e-mail mass mailer, a part that downloads new content from the Web and a part that captures credit card and password information -- and they all interconnect. But a major part of Bagle's success has been its ability to turn off active antivirus protection; without that, Bagle would not have survived so many successful iterations.
Currently, Bagle is being used by its authors to create botnets, which these people use to sell to others or make money from for themselves. Presumably, the criminal underground operating Bagle is raking in the money. So it's not enough for Bagle to disable active antivirus protection. Now, Bagle's authors want to evade this defence entirely by storing the program's nastiest components deep inside the Windows system kernel, inside what's called a rootkit.
Thank you, Sony
Sony certainly brought rootkits out of the network administrator's dark and scary closet and into the light of public consciousness. Rootkits allow a vendor to hide files from view. Nearly all antivirus companies are currently unable to ferret out rootkits. Not surprisingly, virus writers are starting to experiment with rootkit technology, and the authors of Bagle have a stable, proven base from which to experiment.
Basically, you might find yourself infected with Bagle. While your antivirus app will remove the virus from your system, what it leaves behind could be telegraphing your keystrokes and your personal information onto the Internet -- and you'd have no way of knowing. Big win for virus writers; big loss for you and me.
|Sony certainly brought rootkits out of the network administrator's dark and scary closet and into the light of public consciousness.|
Protection's on the way
F-Secure offers a product called Backlight that's specifically designed to find and remove rootkits; Webroot's Spy Sweeper also detects some rootkits associated with spyware. But in the main, few antivirus companies currently offer the ability to detect and remove brand-new rootkits, though most can at least remove those that have been identified. I haven't yet seen the 2007 line of antivirus products, but I'll wager that the major vendors will all be touting their newfound abilities to detect and remove new rootkits. In the meantime, it's vital that you don't open e-mail attachments (no matter how tempting), keep your antivirus software current and use two-way firewall protection.