Results 1 to 7 of 7

Thread: Bagle Worm Returns

  1. #1

    Bagle Worm Returns

    The author of mass-mailing worm Bagle began distributing its source code and two new variants on Sunday, which could trigger another summer of misery for Windows users.

    The Bagle worm first appeared in January as an e-mail attachment. Within months, there were more than 25 variants.

    Infected PCs download a Trojan that effectively enlists that computer into the worm author's army of zombie PCs, which can be used to distribute spam and other malware and to launch distributed denial-of-service attacks.

    This weekend saw not only two new versions of the Bagle worm released, but also what appears to be the worm's original source code.

    Read Article

    Bagle.AD
    Neon Security

    It\'s time to put an end to malicious code & black hat hackers - Use a firewall and anti virus!

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I have a serious suggestion for all those that manage a corporate network, (thus you have some resources), with regard to executable files being passed from the public network to the trusted.

    Block Them!!!!!

    Bagle, along with Netsky and the other one, (memory.... <sigh&gt, were a perfect example of why AV solutions are inadequate.... They couldn't keep up with the variants and they still don't recognize new things because they are signature based, (signatures are fine for the "known" but are useless against the unknown, also heuristics have to be set so "low" that they are proveably useless - Norton's Bloodhound etc.).

    Unless you are a computer development org or something similar there is no reason for your users to be receiving any executable file.

    Watchguard firewalls do this nicely and I can't believe that the other high end, (corporate), firewalls can't do it too. Give them a list of unacceptable file extensions, (there's about 40), and let them strip the attachment from the SMTP transfer right at the firewall. It works a treat.... I even block .zip's..... I provide an FTP server in the DMZ to allow users to move files of a questionable nature if it is required. This has the following advantages:-

    1. No file that _could_ do damage can enter through email transmission.
    2. I don't have to worry about new viruses or AV companies being too "slow" on variants.
    3. Viruses don't/can't move themselves to password protected ftp sites when they can't send themselves by email - (because they don't know they have been stripped - the mail goes through, it doesn't tell the virus "Oh, but I stripped your attachement"...)
    4. If the threat is high I can deny access to the intended ftp recipient for a day or so until virus definitions have caught up with the changing environment.
    5. I sleep rather well at night.

    This doesn't mean I don't virus scan the incoming mail.... You'd be surprised how many 3 year old Word Macro viruses are still going around so we update the AV hourly and scan every incoming email at least once.

    This does work..... Sit back and think about your user base..... Do they _need_ any executable to be transmitted by email.... If they don't and you can prevent them from getting them then why wouldn't you?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    TS I have a question about blocking those attatchments like you describe.

    What happens to the email after it gets blocked? Does a second email get sent from Watchguard or whatever to the intended recipient or the sender saying that a email has been blocked? Because an end user would like to know if they were supposed to receive an email that was blocked, because if they didn't, there could be some crazy miscommunication problems.

    Such as:
    I send a 10000000$ proposal to TS, and a funny EXE file attatched. Watchguard blocks it, and then who knows that it was blocked? TS would like to know that they coulda made 10000000000$, right?

  4. #4
    Soda,

    The way it works here is that the E-mail is forwarded but the attachment is stripped off, there is a reference to the stripped file left in the E-mail. Looks like:

    <<blahblah.exe>>

    But the attachment is gone. That way you as the recipient recieve your e-mail and know the file that was stripped out.

    Silly users keep replying and asking for a resend, just to see the whole process over again. Thinking the file was corruped or sender forgot to attach it. It has been explained to them, but what else can you do??
    \"If you take a starving dog in off the street and make him prosperous he will not bite you, this is the principle difference between a dog and a man\" - Mark Twain

  5. #5
    Originally posted here by Soda_Popinsky
    I send a 10000000$ proposal to TS, and a funny EXE file attatched. Watchguard blocks it, and then who knows that it was blocked? TS would like to know that they coulda made 10000000000$, right?
    Are you a monkey from Nigeria? Those damn dirty apes are so cool. You know they are really kind, generous, & not to mention very savvy business folks.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Soda:

    Watchguard removes the offending executable and replaces it with a text file attachment that says it removed file name xxxxxx.exe from the original email. The text and any non-executable attachments continue on to their intended recipient.

    Why it adds an attachment baffles me . Since implementing the systems about two months ago it has been bloody murder trying to tell the users that "_NO_ attachment of any kind received from the outside world can do you harm - please click away to your heart's content!!!!!". I still get people forwarding messages with the Watchguard attachment that say, "I didn't know what it was so I'm forwarding it to you"..... <sigh>, even though the file always takes the form ATTxxxxx.txt. But it's still better than having to clean a Netsky infected box.

    I send a 10000000$ proposal to TS, and a funny EXE file attatched.
    Here's the beauty with the Watchguard, it strips only the file extensions it is told from the email. The rest of the email goes unmolested - So I still make my cool million I just don't have to play the silly game he sent me too.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I have a suggestion to:

    Learn to update.


    Half of these worms would have never made the news if people updated like they have been told to from the begining. They all seemed to exploit some flaw that was patched a long time ago, and somehow it stillw hacks servers.... I don't know how my school got infected with Sasser considering they know about me.

    I have a question:

    How exactly is it that in ym town there are almost NO tech related jobs, as they are all filled, yet these peopelt aking them can't update? There Windows boxes! Clicking Windows update shouldn't be THAT hard!

    I understand sometimes you have to wait because a patch maybreak somethign else but good God why wait until it's to late?

    Anyway, I'll continue my laugh fest at the morons who get infected. Unless you were installing a new machine of course, then you don't have the patches. Even then, any person who says they are an admin should have a router blocking everything until the patches are installed.

    It's not hard, when a new patch comes out because some gross hole was found in your OS, INSTALL THE PATCH!

    These companies who get whacked by worms, they are the ones who are setting a bad example, you should know better. Patch, it's not hard. I have yet to get any of these worms on my systems that ran WIndows, and I've made plenty of fresh installs.

    A 50 dollar router usually can defend while you install patches, so why can't these huge companies with better routers pull it off?

    Hmm, *Looks* I think I know another reason my network is clean:

    A Pentium 3 733 MHz machine with 384 MBs RAM, a Sound Blaster Live! and 43 GB HD and Nvidia Riva TNT2 card running Slackware 9.1 (The box I'm typing from)

    A Celeron 2.40 GHz machine, 512 MB RAM, 80 GB HD, SUSE 9.1 Professional

    An AMD Athlon XP 2600 + at 2.13 GHz 512 MB RAM and 120 GB HD, Slackware 10

    These are my boxes in my room on this desk. The only non Linux/BSD box in this house is my Mom's Windows 2000 Professional machine, which I have locked down like a politician's daughter when she's dating.

    I can safely say my uptime is the "5 9's" of coolness. I'm a good BOFH

    You can hire me to telecommute by PM me. All I need is a root SSH session and I'll fix you up, and keep your users on their toes






    EDIT:


    Tiger, most AV products can be defeated:

    Open a Hex editor and change the name of the program, on older AV products, this would allow you to upload virii on a server. Not sure if it still works, I lost my Corporate AV disk.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •