What strikes you about Bugbear in terms of new worm-writing trends or virulent methods?
Bugbear poses a new level of sophistication in terms of social engineering. Rather than sending an e-mail around written in broken English, this one is picking up legitimate live messages, forges the header information and attaches itself to them and spreads that way. For example, I received an e-mail from a well-known security researcher who is a frequent poster to security lists. The message of the e-mail was a legitimate question about the Slapper worm that it had spoofed from someone's inbox. It was a legitimate message that was forged to look like it came from him. And attached to it was the worm with a plausible-looking file name and a double-extension, which was the tip-off that this was not legitimate.
This technique is making it effective in different languages. If you're in Europe and you get something in broken English, your guard is going to be up. But when you get a message in French with a plausible file name for an attachment, you could trick some people into opening it. This could support the fact that it is still going strong in Europe.
This is definitely a new level of sophistication in this direction. Any idea where Bugbear may have come from?
It's a BadTrans variant really. BadTrans was one of the heavy hitters from last year and this is probably from the same author. He's probably been working on improving his concepts since the initial release. I expect worms of the future to move like this one, via e-mail and some sharing capability, like a Web server vulnerability. Take the SQL Server worm -- that one is still going gangbusters. When it infects one SQL Server, it starts looking for others. If the author had added more worm capabilities, it would have done more damage.
E-mail worms are not dead, but they might as well be because it's so easy for enterprises to guard against them by filtering for their extensions at the gateway. How about the technical sophistication of this worm?
It's also exploiting the auto-execute vulnerability in Internet Explorer, which isn't anything new. But the fact that it is moving well across local network shares is a hallmark for outbreaks of the future. There's also a high level of sophistication in the back door it drops. It's not just monitoring what the keystroke-logging program picks up, but it launches a browser interface on the victim's computer and allows the attacker to browse your computer and do what they want. So, just when enterprises have caught up with worm writing techniques, authors have taken another tack?
They have to. That's part of the reason the bad guys have not been successful this year. Klez was more of an issue with home users, because corporations have blocked it easily. Is Bugbear more of a home user problem?
This is a home user problem too. But, because this one's social engineering is so good, it could fool anyone who isn't bluntly filtering common executable files at the gateway.