BugBear learns new tricks, targets financial institutions
- By William Jackson
- Jun 09, 2003
A new wrinkle has been found in the resurgent BugBear worm, which began showing up on desktop PCs around the world last week in a new and improved version.
Researchers at Symantec Corp. of Cupertino, Calif., said the new worm, W32Bugbear.B, appears to be targeting financial institutions. If it finds itself ensconced inside a bank's IT system, it e-mails home and sends a log file of captured keystrokes.
'Symantec Security Response is strongly advising financial institutions that they may be at greater exposure due to this newly discovered functionality,' the company said in an announcement released today.
The new worm variant appeared last Wednesday when it began spreading through computer systems in English speaking countries. It spreads by mass e-mailing and network shares, and installs keystroke logging software and a back door that leaves infected machines open to further exploitation.
The new BugBear has randomized subject lines, sender addresses, body text and attachment names. The attachment has a double extension, with the real extension being .EXE, .PIF or .SCR.
According to Symantec, when the worm finds that the default e-mail address for an infected system belongs to a financial institution, it sends an e-mail including keystroke logs to one of 10 addresses:firstname.lastname@example.org@email@example.com@firstname.lastname@example.org@email@example.com@firstname.lastname@example.org@juno.com
BugBear.B's affinity for banks is not a complete surprise. The virus contains a list of hundreds of domain names, apparently for forging spoofed e-mail addresses, many of them containing the names of banks.
According to the British security firm Mi2g Ltd., the original BugBear ranks as the seventh most damaging malware on record, having caused between $1.6 billion and $1.9 billion in damage since last year. Based on early June data, the new variant could boost it to the No. 5 on the list, with more than $2 billion in damages.
No. 1 on the list is the Klez worm, with an estimated $12 billion in damage, followed by the Love Bug at $8.75 billion.
Many antivirus firms have updated their software to catch BugBear.B. Security experts also recommend filtering incoming e-mail for .EXE, .PIF and .SCR attachments, and monitoring outgoing e-mail for the addresses used by the worm to communicate home.
William Jackson is a Maryland-based freelance writer.