Fresh Bagels offer baked-in rootkits

By Eric B. Parizo, News Editor 28 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Several new variants of the renowned Bagel worm are making the rounds, but this time around they're incorporating rootkit functions that make them more difficult to detect.

Worst yet, they could mark the beginning of an era in which most multigenerational malware can bury itself in hidden locations, downloading programs and capturing information for days or weeks without being discovered.

Glendale, Calif.-based Panda Software reported Tuesday that it has been tracking Bagle.HX, Bagle.HY and Bagle.HZ since Mar. 23. The trio, which spread via e-mail, attempts to download files from various Internet addresses, most being located in the .ru domain. Those files can include other malware.

According to Panda, once a machine is infected the worm makes a copy of itself in a process file called m_hook.sys, which is designed to eventually download and run keyloggers or other malicious programs.

More recent news on rootkits New Trojan, kernel-level rootkit have 'frightening capabilities' Surveillance exposes malware that comes back from the dead

Additionally, Helsinki-based F-Secure Corp in its blog Friday reported the discovery of Bagle.GE, which makes use of rootkit features to hide the processes and registry keys of Bagle.GF.

Patrick Hinojosa, CTO for Panda, said as with other Bagel variants, HX, HY and HZ attempt to shut down a computer's security software, and then seeks to sustain itself in secret using a rootkit.

"So even if you reactivate your security software," Hinojosa said, "it may not be seen or discovered."

Hinojosa noted that Bagel had already undergone a tremendous evolution since its early days as a run-of-the-mill worm, but these latest incarnations illustrate how the digital underground has taken hold of Bagle and altered it for much more nefarious purposes.

While these versions have not spread far, Hinojosa said they have the feel of a test run. "I think they're sending it out and testing the code to see if it's going to be successful" in future attacks, he said.

Hinojosa said that if enterprises aren't already aware of the threat posed by rootkits, then this should serve as a wake-up call. He said attackers have realized that for relatively little time and trouble it takes to include rootkits, they can significantly extend the life and severity of malware.

"If you've got this [malware] on a machine that has decent financial data on it, there's an ROI to having a rootkit in it to keep it alive on the system longer," Hinojosa said. "With minimal effort, you're going to really extend the life cycle of the software, which is going to add up to more money for the attacker."

Tags: Software Development Methodology,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary