While Microsoft weakness is patched, other worms turn
- By William Jackson
- Feb 18, 2004
Security analysts say hackers are having a harder time than expected coming up with a workable exploit against the Microsoft ASN.1, giving administrators valuable time to patch their systems.
But while patching for that vulnerability is under way, new worms continue to demand attention.
A new variant of the Bagle worm, Bagle.b, now is spreading rapidly in the wild. It is a mass-mailing worm that installs a back door Trojan on infected machines and appears to be programmed to stop spreading Feb. 25. It has a random subject line, text and attachment name.
Security companies noticed the spread on Tuesday in Europe, and MessageLabs Inc. of New York reported it had stopped more than 96,000 copies of the worm in 66 countries by early Wednesday. Panda Software Inc. of Glendale, Calif., called the mass-mailing worm 'highly effective,' due in part to its ability to spoof the sender's address.
'Money and control appear to be the motive behind Bagle, similar to top worms of 2003,' said Ken Dunham, director of malicious code for iDefense Inc. of Reston, Va.
Dunham also reports that another new worm, NetSky.b, also was spreading rapidly in Europe and Japan Wednesday morning. NetSky is another randomized e-mail worm that also propagates through network shares.
'NetSky.b is like a cluster bomb,' Dunham said. 'It spreads to various networks via e-mail, and then erupts on the network through shared files.'
The one bright spot in the war against malicious code is the difficulty hackers seem to be having in developing a shell exploit for the Microsoft Abstract Syntax Notation 1 Library. Although effective exploit code appeared within days of the vulnerability's announcement, no widespread attacks have been reported.
'Every day that goes by without shell exploit code in the wild for ASN.1 is very good news," Dunham said. 'We are slowly gaining ground on protecting against possible exploitation. It still has potential, but every day that goes by lowers that potential.'
William Jackson is a Maryland-based freelance writer.