Several new variants of the renowned Bagel worm are making the rounds, but this time around they're incorporating rootkit functions that make them more difficult to detect.
Worst yet, they could mark the beginning of an era in which most multigenerational malware can bury itself in hidden locations, downloading programs and capturing information for days or weeks without being discovered.
Glendale, Calif.-based Panda Software reported Tuesday that it has been tracking Bagle.HX, Bagle.HY and Bagle.HZ since Mar. 23. The trio, which spread via e-mail, attempts to download files from various Internet addresses, most being located in the .ru domain. Those files can include other malware.
According to Panda, once a machine is infected the worm makes a copy of itself in a process file called m_hook.sys, which is designed to eventually download and run keyloggers or other malicious programs.
Additionally, Helsinki-based F-Secure Corp in its blog Friday reported the discovery of Bagle.GE, which makes use of rootkit features to hide the processes and registry keys of Bagle.GF.
Patrick Hinojosa, CTO for Panda, said as with other Bagel variants, HX, HY and HZ attempt to shut down a computer's security software, and then seeks to sustain itself in secret using a rootkit.
"So even if you reactivate your security software," Hinojosa said, "it may not be seen or discovered."
Hinojosa noted that Bagel had already undergone a tremendous evolution since its early days as a run-of-the-mill worm, but these latest incarnations illustrate how the digital underground has taken hold of Bagle and altered it for much more nefarious purposes.
While these versions have not spread far, Hinojosa said they have the feel of a test run. "I think they're sending it out and testing the code to see if it's going to be successful" in future attacks, he said.
Hinojosa said that if enterprises aren't already aware of the threat posed by rootkits, then this should serve as a wake-up call. He said attackers have realized that for relatively little time and trouble it takes to include rootkits, they can significantly extend the life and severity of malware.
"If you've got this [malware] on a machine that has decent financial data on it, there's an ROI to having a rootkit in it to keep it alive on the system longer," Hinojosa said. "With minimal effort, you're going to really extend the life cycle of the software, which is going to add up to more money for the attacker."