NEWS FROM THE LAB - Friday, March 24, 2006

How Would You Like Your Bagle Done, with Rootkits on the Side? Posted by Sean @ 14:34 GMT

Rootkit development has had such a lull in recent months that we were beginning to wonder if the technique had suddenly become pass�. The last few days may have changed our opinion. With the discovery of three new cases we are now very curious to see what the future will bring.

One of the new cases, Gurong.A, is based on Mydoom code. See our earlier post for more technical details. The other two cases are variants of Bagle. Both Mydoom and Bagle are what we could call 'heavy hitters' in the field.

Gurong.A might be based on leaked source code, and may be only a cut and paste job by a new author. No way to really tell. But the Bagle variants have peaked our interest/concern. Bagle's authors are currently active and running botnets. They maintain a complex network and it�s a suite of programs that work together.

To illustrate just how complex the Bagle operation is nowadays, have a look at this graph illustrating the relationships between different Bagle modules:


Two years ago Bagle was a simple virus. One EXE file, emailing itself around. It's not like that anymore. The malware suite has been built over time. Now the latest development is that one of the new Bagle variants integrates rootkit functionality. Bagle.GE includes code that uses rootkit features to hide the processes and registry keys of Bagle.GF. We can see here an active example of the parts creating a greater whole.

There appear to be bugs in these new Bagles so it�s an early version. But if the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on.