[THIN] Experts fear worm is first of more-sophisticated attacks on horizon.

• From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
• To: <windows2000@xxxxxxxxxxxxx>, <nospam@xxxxxxxxxxxxx>,<thin@xxxxxxxxxxxxx>
• Date: Tue, 27 Jan 2004 16:13:53 -0500

Bagle-Type Threats on the Rise?
By Dennis Fisher
January 26, 2004
http://www.eweek.com/article2/0,4149,1460179,00.asp
Experts fear worm is first of more-sophisticated attacks on horizon.


While the outbreak last week of the Bagle.A virus was one of the least
troublesome in recent memory, security experts worry that the
virus?following in the infamous footsteps of 2003's SoBig worms?is a
harbinger of more-sophisticated attacks to come.

Many in the security community say the SoBig family?and possibly Bagle.A?are
the work of an organized group of criminals with bigger plans than merely
clogging in-boxes and annoying IT staffs. (Bagle.A infected about 19,000 PCs
worldwide and fewer than 800 in North America, according to Trend Micro
Inc.)

SoBig.F and Bagle.A have the capability to log users' keystrokes, enabling
the theft of passwords and other sensitive data, and are programmed to set
up proxies on infected machines for the purpose of sending spam.

Experts say these attributes, as well as evidence gathered by law
enforcement, indicate that these worms are being used as tools for
large-scale identity theft and financial fraud.

"SoBig.F is the one you can point to as the first along these lines," said
John Frazzini, vice president of intelligence operations at iDefense Inc., a
security intelligence company based in Reston, Va., and a former federal
computer crimes investigator. "Bagle is following these same motives and
methods. They're being used to further massive financial crimes, trying to
achieve a criminal outcome."

Whoever is behind these worms, security insiders say, is using data
retrieved from infected machines to commit bank and credit card fraud,
perhaps in small increments against thousands and thousands of victims. They
also can use the proxies the worms install to send out massive amounts of
spam messages. The various fake e-mail messages purporting to come from
PayPal, eBay Inc. and a variety of banks asking for passwords and account
numbers are being generated by these same proxies, the experts say.

For IT managers, these worms present new difficulties, given that they don't
do any noticeable damage to infected machines but, rather, steal sensitive
corporate passwords and other data. Many of these worms come from spoofed
addresses that are likely familiar to the recipient. Experts recommend that
in addition to blocking executable files at the mail gateway, administrators
encourage their users to confirm any attachment they weren't expecting, even
from people they know.

Administrators can also look for spikes in traffic on unusual ports or
client machines sending large amounts of mail messages.

Whether or not these worms are being released by traditional organized crime
groups is of less interest to experts than the fact that the worm creators
are learning from their mistakes and becoming more proficient.

"It's certainly interesting to see [Bagle.A] mirror the techniques in SoBig.
It could be that virus writers are using Net users as beta testers before
they build the very big ones. It's very plausible that it's more than just a
set of script kiddies doing this," said Ian Hameroff, eTrust security
strategist at Computer Associates International Inc., in Islandia, N.Y.

"We're still peeling back the layers of the onion, and people still need to
be vigilant that there will be other ones coming. This could be ushering in
a new era of malware," Hameroff said.

As with last year's constant stream of SoBig variants, Hameroff and others
say that new and improved versions of Bagle.A or as-yet-unknown worms are on
the horizon.

"We could be looking at additional attacks and malware of this sort in 2004.
We've seen a trend toward successful worms and attacks," said Ken Dunham,
malicious-code manager at iDefense. "This is really a new wave."

********************************************************
This Week's Sponsor - Emergent Online 99Point9.com
EOL THINssentials? Bring You TRUE Universal Printing Solutions
and Time Zone Support. EOL delivers any print job, any
time zone, to any client, over Any protocol (ICA or RDP)!
http://www.99point9.com/public/products/index.asp
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Experts fear worm is first of more-sophisticated attacks on horizon.

1. Home
2. thin
3. Archive
4. 01-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---