INTERNET SECURITY: Strong evidence of Bagle and MyDoom connection emerges
The variant comes repackaged as Hacker Activated Code (HAC) which does not replicate like usual malware. The HAC features suggest that it has been written by same group that authored other Bagle variants.
The HAC drops the Mitglieder proxy Trojan, which has been frequently used by spammers in the past. In February, the proxy program called Mitglieder began installing itself on computers infected by January's Mydoom outbreak. It is not clear how the HAC discovered this morning with a Bagle look-and-feel is spreading, as it contains no replicating code. It is probably being spammed via email attachments - most likely from infected machines.
While most spam previously flowed through the Russian Federation, China, South Korea, Brazil and other countries whose ISPs left many relays open, this trend has now been replaced by a North American and European residential trend, where more high-speed cable and 24/7 connections at the domestic level are targeted by criminal syndicates for financial gain.
The Mitglieder Trojan suggests an interesting link between the Bagle and Mydoom families. The first known version of this proxy Trojan was used by Bagle.a in January 2004. Bagle.a downloaded it from a web site and installed it on infected computers. Meanwhile, Mydoom.a was spreading around the world, leaving a backdoor open on each computer it infected.
Several days after the initial outbreak some organisation which knew how to operate the backdoor port, scanned large parts of the internet address space and installed another version of the Mitglieder Trojan on those infected machines and started sending spam through them.
The fact that both Bagle and Mydoom families are utilising the Mitglieder Trojan might indicate that there is a single group behind both families. There might be different programmers, but sponsored by the same organisation. The way these worms use Mitglieder is the next logical step from the way earlier spam-related malware such as LovGate and Sobig used Wingate. Wingate proxy server is a commercial network software, but many malware families have used it, in violation of its license agreement, to install hidden proxy functionality. Some Trojan malware carries an embedded copy of Wingate within itself.
The mi2g Intelligence Unit continues to research the background of the recent spate of malware and concludes that these malware families are connected to each other. This could point to the increasingly probable Sobig-Bagle-Mydoom triangle of trans-national criminal syndicate activity dedicated to the colonisation of home computers for spam purposes.
"The Mitglieder connection between Bagle and MyDoom suggests a financial gain motive. This is definitely not the teenager originated phenomenon that it is being made out to be," said DK Matai, Executive Chairman, mi2g. "There is much more to the motives behind MyDoom and Bagle than the winning of bragging rights."
Delicious
Digg
Reddit
Magnoliacom
Newsvine
Furl
Google
Yahoo
Technorati
Comments
Post new comment