washingtonpost.com  > Technology > Tech Policy > Security

For Spammers, Worm Turns a Profit

'Bagle' Attacks Show Growing Cooperation Between Virus Writers, Other Online Criminals

By Brian Krebs
washingtonpost.com Staff Writer
Monday, February 7, 2005; 12:19 PM

For the first two weeks of October 2004, relentless waves of Internet traffic swamped the Web site of Gaithersburg, Md.-based Harta Instruments, one of six companies worldwide that manufacture devices used to detect a virus linked to genital warts and cervical cancer.

John Lee, the company's owner, initially suspected a digital attack bent on destroying his mostly Internet-based business. Lee later learned that the flood of Web traffic came from more than 300,000 computers seeking software updates at his site. The computers had been infected with the latest version of the "Bagle" worm, one of last year's most prolific and insidious Internet viruses.

Quick Tips
From washingtonpost.com at 10:45 AM

Unlike "network" viruses that exploit security holes, e-mail worms like Bagle trick people into opening e-mail attachments that contain the virus. Most worms can fake the "from" address so they appear to come from someone you know. If you receive an e-mail with an attachment that you weren't expecting, think twice before clicking the link. If the attachment filename ends in ".com," ".cpl," ".exe" or ".scr," it is almost certainly a virus. Most anti-virus software can scan incoming mail for viruses. You could also save the file to your computer and then scan it with anti-virus software.

Infected computers tend to operate sluggishly or erratically, though they sometimes show no obvious symptoms. If you are concerned that your computer could have a virus and don't have up-to-date anti-virus software installed, there are several free options:

• Panda Software offers a service that will scan your computer remotely and remove any viruses it finds (works only with Internet Explorer)
• Computer Associates offers a free one-year subscription to its anti-virus product
• McAfee also offers a free tool called "Stinger" that can search for and eliminate numerous pests from your computer

-- By Brian Krebs
Microsoft Still Patching Software Security Holes (The Washington Post, Feb 9, 2005)
Microsoft Issues 8 'Critical' Software Patches (washingtonpost.com, Feb 8, 2005)
'Sunset Policy' Stymies Loyal Quicken Users (The Washington Post, Feb 6, 2005)
More Security News

The debilitating attacks have ceased now that his Web site is operating under a new name, but Lee still fumes over the incident, which he says cost his company tens of thousands of dollars in lost sales.

"I don't know who was behind all of this, but they need to be caught and then shot," Lee grumbled.

Barring a careless misstep by the virus author or authors, the prospects for any repercussions appear dim. The worm that targeted Lee's site was the 44th version of Bagle unleashed in 2004, a year in which teams of virus writers forged new alliances with junk e-mail artists to convert millions of home PCs into remote-controlled "zombies" used to fuel spam and phishing attacks.

As a result of those alliances, junk e-mail and phishing attacks -- online scams that lure victims into giving up confidential information -- far outnumbered legitimate e-mail communications last year. Roughly three-quarters of all e-mail in 2004 was spam or fraud-related, according to Postini, a Redwood City, Calif.-based anti-spam firm.


Bagle was just one of countless e-mail worms unleashed onto the Internet in 2004, but the attack on Lee's site offered security experts a rare glimpse into the thriving economic and operational ties between Internet criminals and virus writers.

In many ways, the Bagle virus is no different from other e-mail worms: it seizes control of a recipient's PC after they click on an e-mail attachment that harbors the virus.

But Bagle also has outpaced its brethren in other areas. It would become one of 2004's most successful "multi-stage" viruses, in that it was designed to lie dormant for several days after infection, then instruct its host to download software updates from a pre-defined list of more than 130 Web sites. Bagle also was the first high-profile worm to disable the protective firewall that Microsoft Corp. enables in all distributions of Service Pack 2, a software security upgrade made available to Windows XP users in August.

Symantec Corp., an Internet security firm based in Cupertino, Calif., intentionally infected some of its computers with the Bagle virus in order to monitor the worm's progress. In a 28-page report published in December, the company found that some of the PCs downloaded software that forced them to forward e-mails used in a pair of elaborate phishing scams targeting customers of SunTrust Banks.

CONTINUED    1 2 3    Next >

© 2005 TechNews.com