The Bugbear worm is hardly in hibernation, with several antivirus experts reporting that its progress has heated up since being discovered Monday.
This morning, e-mail security managed service provider MessageLabs reported that it has captured 27,500 copies of the worm, up from 9,400 yesterday. The worm, which travels via e-mail and network shares, is also called Tanat, Tanatos, WORM_NATOSTA.A and W32/Bugbear@MM.
Helsinki, Finland-based antivirus vendor F-Secure is seeing as many reports of Bugbear as Klez, the most prevalent worm of the last six months, said Mikko Hypponen, F-Secure's manager of antivirus research. "It's gaining ground fast."
There are two dangers associated with Bugbear.
First, the worm opens a backdoor and installs a keystroke-logging program on infected systems, giving it the ability to harvest passwords and other sensitive information.
Additionally, Bugbear aggressively targets antivirus and firewall software. The worm periodically tries to shut down processes associated with popular antivirus and firewall products.
"There are tens of thousands of computers that had antivirus software a few days ago but now don't have any running," Hypponen said. These systems would be open to other viruses and potentially malicious hacking if firewall software is turned off.
Bugbear spreads by sending itself as an e-mail attachment and through network file shares. The latter functionality may have something to do with its success, because only one user on a network has to open the attachment. Once a machine is infected, the worm can spread itself throughout the network.
This is not just an issue for corporations. Home DSL and cable users could become infected via this method, said Chris Wraight, technology consultant at antivirus vendor Sophos.
Bugbear's e-mail propagating abilities are also quite savvy. The worm takes advantage of IFRAME and MIME vulnerabilities so a recipient doesn't need to open the attached worm for it to execute.
The worm also steals e-mail messages from infected systems and forwards them with copies of itself. The use of real e-mails lends some credibility to the messages, which prompts some recipients to open it. The technique could also send out sensitive information, Hypponen said.
Bugbear also uses a variety of subject lines to entice targets to open the attachment. Some of these include:
- Payment notices
- Just a reminder
- Correction of errors
- history screen
- I need help about script!!!
- Please Help...
- Membership Confirmation
- Get a FREE gift!
- Today Only
- New Contests
- Lost & Found
- bad news
- click on this!
- Market Update Report
- empty account
- My eBay ads
- 25 merchants and rising
- CALL FOR INFORMATION!
- new reading
- Sponsors needed
- SCAM alert!!!
- its easy
- free shipping!
- Daily Email Reminder
- Tools For Your Online Business
- New bonus in your cash account
- Your Gift
- $150 FREE Bonus!
- Your News Alert
- Get 8 FREE issues - no risk!