Asia-Pac security vendors struggle as Bagle slips the net

A new variant of Bagle has sent the worm rocketing back to the top of Asia-Pacific security monitoring lists.
Written by Andrew Colley, Contributor
A new variant of Bagle has sent the worm rocketing back to the top of Asia-Pacific security monitoring lists, with at least one security expert indicating that computer virus detection software may be getting too easy to side-step.

Bagle.AE, which propagates as an e-mail attachment, to date has been the most frequently reported computer menace at Computer Associates' Richmond, Melbourne-based Australasian computer security centre.

It accounted for 30 percent of all malicious software samples processed by CA's analysis lab over the last 24 hours, and the company said it expects the worm to stay at the top its detection list for two days.

Malicious hackers have released around 30 variants of the original Bagle worm since it was first reported to authorities in around January 2004.

Like its self-mailing predecessors, Bagle.AE propagates via e-mail as a file attachment. Its creators uses social engineering methods to entice the unwary to open it and infect their machines. It then re-mails itself to other potential victims.

Computer Associates' senior anti-virus researcher, Jakub Kaminiski said that a member of the Bagle family of worms has always lingered near the top of its detection frequency hit list over the past six months. However, when it comes to explaining why the newest addition has propagated so successfully--even though it's well known to anti-virus companies--he said that it's anyone's guess.

"I think they were lucky," said Kaminski, describing the authors of Bagle.AE.

Kaminski speculated that extensive spamming of the Bagle.AE-infected e-mail attachment may have given the worm a potent boost, or that a quirky dimension to its file name may have led to heavy distribution of the worm on peer-to-peer networks.

However, he left clues that a trade-off between speed and security in modern heuristics-based anti-virus software may have played a role helping Bagle.AE's handlers slip it past security nets.

Unlike older anti-virus software which relied on slow byte-for-byte comparison of code to samples of known viruses contained in signature files, Kaminski explained that, in the interest of speed, modern anti-virus software relies on heuristic rules and procedures to weed out malware.

That means that most anti-virus products don't examine the contents of an attachment to see if anything familiar is inside.

That leaves worm writers with an opportunity disguise the code; tweaking it and packing it using multiple layers of archiving techniques. Once the packaging process has made the file containing the code look sufficiently different to get by the keeper undetected, it's officially a new variant of the malware.

The problem with the Bagle family of worms, said Kaminski, is that some anti-virus heuristics are better at spotting its various guises than others.

"Different products use different methods but quite a few Bagle variants are detected with the same heuristics... it's simply that those methods don't work on all of them," he said.

According to Kaminski, making the heuristic procedures complex enough to break through the layers for a direct view of the code wasn't feasible with current computer processing speeds.

"Do you want to spend heaps of time scanning a file--and detect everything possible underneath this packaging--or do you want to be fast? There is always a balance somewhere in between," said Kaminski.

For now he says the only foolproof method to stop the problem is to block all file attachments on e-mail servers.

However, Kaminski indicated that more direct scanning methods may be possible again in the future.

"The things that we couldn't get implement ten years ago we can implement in the software now so the limit is shifting all the time," he said.

ZDNet Australia's Andrew Colley reports from Sydney.

Editorial standards