Home & Office
Bugbear rise knocks out Klez
The Bugbear worm has now surpassed Klez.H as the fastest-spreading virus, and is getting more virulent by the day - but it is bringing an unexpected benefit
The Bugbear worm is shaping up into the most serious Internet threat in months, according to security researchers, as it surpassed the lingering Klez.H to become the fastest-spreading virus of the moment. Antivirus company Symantec on Wednesday upgraded the virus to a danger rating of "4" out of a possible "5".
The rise of Bugbear to the top of the virus charts is partly due to the speed at which it is spreading, but also in part to an unexpected effect that it is having.
Email and security service provider MessageLabs intercepted more than 21,000 copies of the virus on Thursday, compared with nearly 6,000 copies of Klez.H, which has topped the virus charts sporadically since February. This is partly because of Bugbear's rapid rise, but MessageLabs said that in addition Klez activity has suddenly dropped to about a quarter of its usual levels.
"With all the publicity around Bugbear, people are finally getting around to updating their antivirus software, so Klez is suddenly falling," MessageLabs chief technical officer Mark Sunner told ZDNet UK. "Klez has been going forever and ever, and now it's been killed off."
Meanwhile, the company predicted that Bugbear has probably not peaked yet.
Threat of second-wave attacks
Sunner said that the virus' growing presence poses a new threat. Since Bugbear leaves a backdoor program on infected machines, there could now be thousands of computers around the world susceptible to further attacks. "All a hacker has to do is point a browser at that machine and they can get at everything on the hard disk," Sunner said. "Because Bugbear has received so much publicity, all the hackers will be riding onto this. There is a plethora of machines up for grabs." Such vulnerable machines can be used, for example, to overwhelm a company's servers in what is called a distributed denial-of-service attack. Known technically as W32.Bugbear or I-Worm.Tanatos, experts now believe the virus to be a modified version of the earlier Badtrans worm. Besides installing the backdoor, the worm disables various antivirus measures and any personal firewall that might be present, and installs a program for recording keystrokes -- which can log any passwords the user types in. It scours the computer for email addresses, to which it sends infected messages via its own email engine. The virus only affects Windows machines. A flaw in MIME (the multipurpose Internet mail extensions) lets a malicious program attached to an email message execute when the text of the message appears in Outlook. The software problem was patched by Microsoft almost 18 months ago, but some users apparently have not updated their computers. However, even with the patch, if a user clicks on the attachment he can still be infected. Clever social engineering
One of the factors that has made Bugbear spread so quickly is the way it disguises infected messages. Besides the common method of sending a message with a randomly-selected heading and "From" field, the virus can also create a message as a reply or forward of an existing message. "If you're receiving an old email from someone who you know, it's confusing, and you're likely to click on the attachment to find out what's going on," said Sunner. "It's a good social engineering trick." The worm began infecting computers on Sunday, originating in the Asia-Pacific region, according to MessageLabs. That area is still its biggest concentration, and because the company has fewer customers in the region, there are probably many more uncounted viruses. Security experts say that the biggest factor in the continuing danger from Bugbear, Klez.H and other worms is that users aren't bothering to update their virus protection -- and this is particularly true of home users. Protection
Antivirus companies recommend that users download Microsoft's Outlook patch, update their antivirus programs and avoid clicking on mysterious attachments unless the sender confirms it is safe. Eugene Kaspersky, head of Kaspersky Labs, recommends updating antivirus software weekly or daily, treating any email attachments with suspicion and paying attention to warnings from antivirus companies. "If you follow these rules, you will be 90 percent protected," he said in a recent interview with ZDNet UK. For instructions on protecting your computer from Bugbear, see ZDNet UK's Help & HowTo: Bugbear. For antivirus vendor instructions, see Central Command, F-Secure, McAfee, Sophos and Symantec. CNET News.com's Robert Lemos contributed to this report.
Sunner said that the virus' growing presence poses a new threat. Since Bugbear leaves a backdoor program on infected machines, there could now be thousands of computers around the world susceptible to further attacks. "All a hacker has to do is point a browser at that machine and they can get at everything on the hard disk," Sunner said. "Because Bugbear has received so much publicity, all the hackers will be riding onto this. There is a plethora of machines up for grabs." Such vulnerable machines can be used, for example, to overwhelm a company's servers in what is called a distributed denial-of-service attack. Known technically as W32.Bugbear or I-Worm.Tanatos, experts now believe the virus to be a modified version of the earlier Badtrans worm. Besides installing the backdoor, the worm disables various antivirus measures and any personal firewall that might be present, and installs a program for recording keystrokes -- which can log any passwords the user types in. It scours the computer for email addresses, to which it sends infected messages via its own email engine. The virus only affects Windows machines. A flaw in MIME (the multipurpose Internet mail extensions) lets a malicious program attached to an email message execute when the text of the message appears in Outlook. The software problem was patched by Microsoft almost 18 months ago, but some users apparently have not updated their computers. However, even with the patch, if a user clicks on the attachment he can still be infected. Clever social engineering
One of the factors that has made Bugbear spread so quickly is the way it disguises infected messages. Besides the common method of sending a message with a randomly-selected heading and "From" field, the virus can also create a message as a reply or forward of an existing message. "If you're receiving an old email from someone who you know, it's confusing, and you're likely to click on the attachment to find out what's going on," said Sunner. "It's a good social engineering trick." The worm began infecting computers on Sunday, originating in the Asia-Pacific region, according to MessageLabs. That area is still its biggest concentration, and because the company has fewer customers in the region, there are probably many more uncounted viruses. Security experts say that the biggest factor in the continuing danger from Bugbear, Klez.H and other worms is that users aren't bothering to update their virus protection -- and this is particularly true of home users. Protection
Antivirus companies recommend that users download Microsoft's Outlook patch, update their antivirus programs and avoid clicking on mysterious attachments unless the sender confirms it is safe. Eugene Kaspersky, head of Kaspersky Labs, recommends updating antivirus software weekly or daily, treating any email attachments with suspicion and paying attention to warnings from antivirus companies. "If you follow these rules, you will be 90 percent protected," he said in a recent interview with ZDNet UK. For instructions on protecting your computer from Bugbear, see ZDNet UK's Help & HowTo: Bugbear. For antivirus vendor instructions, see Central Command, F-Secure, McAfee, Sophos and Symantec. CNET News.com's Robert Lemos contributed to this report.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.