Bagle’s birthday

It’s two years to the day that the antivirus industry first encountered Bagle – Email-Worm.Win32.Bagle.a. Depending on your point of view, two years could be a long time, or a short time. But whatever position you take, one thing is certain – Bagle has evolved from a single worm into a criminal infrastructure, which is constantly searching for new victims to infect. Bagle has become a business, which is making real profits – clear motivation for cyber criminals. The authors of Bagle have continued to develop the worm’s defences against its main enemy, the anti-virus industry. We’ve seen Bagle evolve from using primitive polymorphic code, to saving the password to an infected archive in graphical form, to the use of denylists. These last list users such as e.g. antivirus and network activity monitoring companies who are likely to attempt to download the latest Bagle variant via malicious links. If a user whose address is denylisted attempts to download the latest Bagle, an error message will be returned instead of the malicious file.

Over the last two years we’ve detected more than 400 modifications of Bagle-related malware. All these malicious programs (Trojan-Proxies, Email-Worms, Trojan-Downloaders, SpamTool etc) are designed to steal information from victim machines, conduct mass mailings and other criminal activity.

As our users know, Kaspersky Lab releases two types of antivirus database update – standard updates, and urgent updates. Urgent updates provide rapid protection against possible epidemics and spamming of malicious programs. The graph below shows the number of urgent updates (axis Y) released every three days (in order to highlight the virus epidemics) throughout 2005 (axis X) we get the following picture:

It’s clear that the highest number of urgent updates were released on days when Bagle was very active. During one attack, 21 new modifications were detected. The figures clearly show that users should continue to take the threat posed by Bagle seriously.

Bagle’s birthday

Your email address will not be published. Required fields are marked *



Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox