There's plenty that's familiar about Bugbear-B, a variant of the original Bugbear worm that first appeared last fall. And that's what makes today's rampant outbreak so noteworthy, antivirus experts said this morning.
Bugbear-B is a mass-mailing worm that exploits MIME and IFRAME vulnerabilities in Outlook, Outlook Express and Internet Explorer that enable it to be executed by a user merely previewing the infected message rather than double-clicking an attachment. It also possesses many characteristics similar to its older sibling.
Most enterprises currently block executable attachments with the file types .SCR, .EXE and .PIF preferred by Bugbear-B. This tact should have stopped Bugbear in its tracks inside large companies. Experts theorize that home users, rather than business users, could be to blame for most of Bugbear-B's rapid uptake today, but some think the author may have gotten lucky and seeded the right newsgroup or company accounting for its reaching critical mass so quickly today.
U.K. based e-mail security service provider MessageLabs had captured more than 34,000 copies of the worm by 1 p.m. EDT today, up from 17,000 at 10 a.m. EDT. Most of the leading antivirus vendors, including McAfee, Symantec, Sophos, FSecure and Central Command had elevated Bugbear-B to their highest alert classifications by 1 p.m. EDT as well.
"There's nothing we can do about people who double-click attachments," said Bugtraq editor Russ Cooper. "If you're a corporation, nobody should allowing these attachment types."
TruSecure Corp. content security lab manager Bruce Hughes said that, according to a recent survey conducted by the service provider, 73% of enterprises block executable attachments.
"Companies should filter out executable file types at the gateway," Hughes said.
Hughes also noted that Bugbear's polymorphic capabilities have enabled its spread to intensify. According to Hughes, Bugbear-B was has the ability to repack itself each time it infects a system. Hughes said this is done to elude antivirus signatures and complicate cleanup.
It is also capable of gathering e-mail addresses from infected systems and spoofing those addresses in messages its sends out via its own SMTP engine. Hughes said users could be fooled into previewing or opening the worm thinking it is coming from a trusted source.
"This one exploits the old MIME vulnerability, something that Fizzer and Sobig-C didn't use," said Hughes. "Bugbear does and that's a big reason it's spreading."
MessageLabs has seen Bugbear-B in 121 countries with a peak infection rate of one in every 263 messages containing the worm. The first copy originated in the United States, but its spread began in Europe and followed the sun West toward the United States.
FOR MORE INFORMATION: