Article

Savvy Bugbear now spreading faster than Klez

Edward Hurley, News Writer

The Bugbear worm has steadily grown to become one of the most prevalent viruses in the world. In doing so, it has unseated Klez.H, which has dominated the virus landscape for nearly six months.

Antivirus experts credit the worm's savvy features for its success in infecting systems. The relatively slow year for viruses may also have lulled some users into a false sense of security.

FOR MORE INFORMATION:

    Requires Free Membership to View

Click here for a roundup of SearchSecurity.com Bugbear coverage

SearchSecurity.com news exclusive: "Bugbear capitalizing on new malicious techniques "

SearchSecurity.com news exclusive: "Guard against Bugbear using these tips"

SearchSecurity.com news exclusive: "Bugbear worm still making tracks on network shares"

SearchSecurity.com news exclusive: "Bugbear worm logs keystrokes, opens back door"


Feedback on this story? Send your comments to News Writer Edward Hurley

"When users don't hear about viruses for a while, they begin to see antivirus software as bothersome," said David Perry, global director of education for Trend Micro, a Tokyo-based antivirus software vendor. "They think it slows their systems down."

The slow but steady progress of Bugbear suggests that it is primarily affecting home users, as most corporate users have had antivirus protection in place for days. The worm is also called Tanat, Tanatos, WORM_NATOSTA.A and W32/Bugbear@MM.

Bugbear also didn't have the rapid ramp-up of a Nimda, which peaked on its first day. That kind of progress tends to get people's attention. Bugbear seems to be spreading slower, much like Klez.H, Perry said.

"End users have gotten this idea that computer viruses are very dramatic," Perry said. "They think viruses make smoke and fire come out the back of their computers."

Bugbear has steadily crept up on users since being discovered Monday. McAfee Security's Anti-Virus Emergency Response Team (AVERT) found that rates of the worm's spread increased 50% to 60% yesterday, said Craig Schmugar, the group's virus research engineer. Europe is getting hit harder than North America, he said.

In fact, Bugbear has eroded Klez's progress. MessageLabs, the Gloucester, England-based provider of e-mail security services, intercepted only 6,300 copies of Klez yesterday, down from a daily average of between 13,000 and 18,000. By contrast, between midnight Wednesday and about 5 p.m. Thursday, the firm intercepted 23,000 copies of Bugbear, said Angela Hauge, MessageLab's technical director for the United States.

Like Klez, Bugbear uses a couple of techniques that enable it to spread more efficiently. For example, it "spoofs" e-mails so the messages it sends out appears to come from different users, not from the PCs where it found the e-mails. Such trickery allows the worm to cover up which machines it has infected.

"There are no arrows pointing to who sent the e-mail to you," Perry said.

Additionally, Bugbear takes advantage of a vulnerability in Internet Explorer that automatically executes attachments when e-mail messages are opened or simply viewed in the preview pane.

Malicious code like Bugbear and Klez probably offer just a taste of what future worms will look like. At 154 kilobytes uncompressed, Bugbear is a humongous, "feature-rich" virus, Perry said.

Bugbear drops a keystroke-logging program into an infected system that can collect sensitive data such as passwords from machines. A system back door opened by the worm allows the author to retrieve the information.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: