Virus with SOCKS appeal targets corporate PCs

A new variant of Bagle that communicates using ports normally reserved for corporate functions is worrying some experts

A new variant of the Bagle virus incorporates a SOCKS proxy and Web services technology aimed at bypassing corporate firewalls, security experts have warned.

The latest Bagle variant — alias Bagle.b.w (F-Secure) and W32/Bagle.CB@MM (McAfee) — was discovered late last week and although security companies say it's not spreading very quickly, computers that have been compromised by the worm will not be easy to detect.

Adam Biviano, senior systems engineer at Trend Micro Australia and New Zealand, said the latest variants show that the Bagle authors are starting to seriously target corporate users.

"This is starting to prove that these variants are targeting corporate machines as opposed to just home users. Most corporate networks are set up to block your typical Trojan access vectors such as IRC and chatrooms. [This variant] uses Web services and SOCKS, which are typical corporate gateway services that would be allowed to go through firewalls," said Biviano.

On the F-Secure blog, Jarkko Turkulainen, the Finnish antivirus company's binary virus researcher, said the latest Bagle no longer tries to "download Mitglieder trojans for opening up spam proxies on infected computers", instead the malware "can also act as SOCKS v4/5 proxy, HTTP CONNECT proxy and SMTP relay."

"It is probably easier to take advantage of home users but probably a logical step in the evolution … would be to try and take advantage of corporate computing resources. IT managers are going to have to look at some kind of monitoring on their Web gateways to make sure information isn't being leaked out of the organisation by these applications," said Trend Micro's Biviano.

Allan Bell, marketing director for McAfee, described the various weapons that the latest Bagle variant has at its disposal and said the worm won't send copies of itself to email addresses from security organisations "to try and hide itself a little bit longer".

"Bagle traditionally has been used for spamming — it has a spam engine — but it can be remotely controlled and used to download and run other applications. It can disable your antivirus and firewall… it also tries to propagate using P2P [peer-to-peer] by jumping into shared folders," said Bell.

Bell said the latest Bagle is "low risk" and most enterprises are unlikely to see it. However, its relative rarity is also one of the tricks used by malware authors to keep their creations low key, according to Eugene Kaspersky, founder of Kaspersky Labs.

At the AusCERT conference in Australia's Gold Coast earlier this year, Kaspersky said that virus authors are no longer trying to infect as many computers as possible with the same virus.

"Do I need a million computers to send spam? No. To do a DDoS attack, 5,000 or 10,000 PCs is more than enough. That is why virus writers and hackers have changed their tactics of infection — they don't need a global epidemic," said Kaspersky.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.