The miscreants who wrote the Bagle and Netsky worms have been duelling for some time, but the authors of the latest Bagle malware have probably blown away their competition, according to Death2Spam founder, Richard Jowsey.
Several versions of Bagle have been released over the past few weeks.
The variants are given different names by antivirus vendors, but Jowsey claims it is plain that Bagle’s authors can produce new versions faster than vendors can update email gateways.
“These things are mutating so bloody fast that we can’t even keep up with the name — which one it is,” he said.
The latest Bagle worms — Bagle.AF, .AG, and .AH were all discovered last week — are notable because they don’t give any indication to the user that a program has run.
“It doesn’t tell you you’re infected. It’s invisible,” Jowsey said. “This is cunning.”
However, infected machines still allowed the virus authors to take control to relay spam or launch distributed denial of service attacks, he said. Criminals can use DDoS attacks to extort money from victims such as online casinos who may be tempted to pay up without publicity.
“Generically, the Bagles are worms which are remote control vectors, Jowsey said. "It’s definitely Internet-capable, and it’s definitely spam-capable, and it is definitely DDoS-capable.”
Bagle variants disable security software and also remove the Netsky worm if it is found on the machine.
“It’s a part of the ‘worm wars’,” Jowsey said. “Well, these [Bagle] guys will be the winners with this one.”
Jowsey is “anti-spam crusader” and technical architect at Death2Spam, which uses predictive heuristic technology in its flagship gateway product to identify potential malware before it is delivered.
He claims antivirus gateways that use virus signature files to recognise malicious software aren’t able to keep up with the rapid appearance of variants such as Bagle.AH and .AI.
“It sure isn’t working these days because it’s obsolete technology,” he sad. “The real risk is in the daily mutants.”
Bagle also tries to trick antivirus gateways by including two files in email attachments. Some gateways only check the first — innocuous — file, and fail to recognise the second, malicious, file.
Because Death2Spam was “proactive”, it recognised the new versions of Bagle and blocked them without needing a specially-created signature file, Jowsey said.
Virus writers were motivated by greed, he said.
“Following the money, it all points to criminal money in Russia, because it pays big dividends when it comes to bringing down online casinos with a DDoS and extorting money from them," Jowsey said.
“And the other thing is spam," he said. "There’s money there."