VirusEye: The MessageLabs Update

The past month has seen two notable developments within the virus world – one a relatively new trend, the other something more of an expansion on a theme.

Every day, a number of viruses, worms and Trojans are written and released, the majority of which make little or no impact and disappear into the ether as quickly as they arrived. Of late this pattern seems to have been disturbed, as during the end of February and beginning of March a seemingly continual cycle of medium-to-high level virus outbreaks occurred.

Over the past few weeks, MessageLabs has analysed numerous incarnations of the Bagle and Netsky worms. While at first glance there seemed no obvious explanation as to why this rash had broken out – no variant was significantly different from the last – further investigation revealed clues within the code.

Virus turf war
Abusive messages between the Netsky and Bagle perpetrators were discovered – a virus turf war had begun. The 'back and forth' between virus authors started in January when Netsky was programmed to remove the MyDoom and Bagle viruses from machines it infected. The wars recently escalated with multiple versions of the Bagle and Netsky worms appearing on an almost daily basis, primarily as vehicles for delivering new barbs and insults from the authors.

While the virus writers are busy competing, it's the e-mail user that suffers once again – be they the organisation or the end user – and more particularly those relying on the reactive, traditional forms of virus protection.

In addition to the usual disruption caused by mass mailing viruses, some of the MyDoom and Bagle worms are also capable of installing open proxies on infected machines which, in turn, may be used for spam dissemination. Further evidence of the convergence trend gaining momentum.

Bagle is also interesting in that the virus itself was contained within a password-protected Zip file attached to the e-mail.

Step forward a number of security companies blowing their trumpets about their ability to detect viruses within encrypted Zip files. This was, quite frankly, baffling. Some vendors – MessageLabs included – have been able to do this for a long time.

Virus writers are continually experimenting with ways of spreading their code, and the use of the encrypted Zip file isn't new.

Users need to exercise caution with any attachment, and should not be lulled into a false sense of security simply because their anti-virus provider hasn't alerted them to a particular extension.