A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert says.

Gregg Keizer, Contributor

June 2, 2005

3 Min Read

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday.

The attack, which involves a new combination of malicious code, shows evidence of "tactical coordination that is unprecedented," said Sam Curry, vice president of Computer Associates' eTrust security group.

Unlike blended threats, which were first popular two years ago -- and in which one piece of malicious code uses multiple tricks or tactics to spread -- this recent attack is a convergence of malware itself and its creators, Curry went on.

"They're collaborating, and making quite an effective parcel," said Curry.

Curry outlined the three-step process, which he characterized as "spread, disarm, and exploit," as starting with the Glieder Trojan horse. Wednesday, said Curry, at least eight Glieder variants -- which are similar enough to the Bagle worm that many security firms label them as such -- hit the Web, one after another, "about one each hour." According to another security researcher, Carole Theriault of Sophos, that pace continued into Thursday.

Glieder, which unlike a true Bagle worm, doesn't spread on its own, was spammed in huge numbers, said Curry. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware. This is the 'beachhead' for the other elements."

"This was spammed to huge lists," said Curry. "That's a different technique than what hackers have used in the past, where they spam a worm to a relatively small list as a 'booster' to initially seed it. Those don't have the mass-mailing dimension we're seeing here."

Once safely installed on a PC, Glieder downloads another Trojan, dubbed Fantibag by Computer Associates. This Trojan horse overwrites the system's HOSTS file so that the machine can't connect with most anti-virus vendor sites (or even Microsoft's Windows Update site). "This is a 'shields down' Trojan," said Curry. "It effectively isolates the user and his machine from help."

Finally, said Curry, a third Trojan -- Mitglieder, another Bagle look-alike -- is loaded and installed to turn the system into a proxy, from which spam can be sent. Additionally, Mitglieder leaves open a backdoor through which the attacker can add keyloggers or other malicious code to further compromise the computer.

"This is a convergence of more than just malware types," said Curry. "This is a cooperative effort by spammers, thieves, and criminals."

Their goal, he said, is to collect as many compromised PCs as possible, since each one is a potential profit center. "Spammers and criminals engaged in fraud are paying between 2 or 3 cents and 7 or 8 cents for each compromised computer," he said. "Although I can't say what kind of revenues someone may generate from a compromised machine -- we're still talking to law enforcement to get a clearer picture of that -- it's certainly north of 10 cents per system."

Other analysts have pegged a value as high as $2.40 in annual revenues from a machine infected with just one piece of spyware.

The Glieder Trojan -- which some security firms have been calling a Bagle downloader to differentiate it from a true Bagle worm -- accounted for over 800,000 of the malicious code nabbed by filtering firm MessageLabs in the last 24 hours. But the numbers are fading, indicating, said MessageLabs analyst Maksym Schipka, that the wave may have peaked.

Even so, the attack Curry described accounted for about 14 percent of all malicious code detected by U.K. security firm Sophos in the last 48 hours, said Theriault.

"I really hate to spread doom and gloom," said Curry, "But I think what we're seeing now is what we're been afraid of for a year or so now, a real partnership between the bad guys."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights