NEWS FROM THE LAB - Thursday, March 30, 2006

New Bagle, new trick Posted by Mikko @ 19:27 GMT

First things first: admins, block http access from your network to endoliteindia.com.

We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.


We are now detecting these as "W32/Bagle.GI". However, the contents keep changing.

To make a long story short: block access to this download site. It's at endoliteindia.com - a hacked web server in India. Abuse messages to the site and the upstream ISP have been sent.

Updated to add: At around 19:45 GMT, the download link died. Now it just returns 403 Forbidden, which is great. We never got replies to our abuse reports, but perhaps somebody took action. Or perhaps the Bagle gang did this themselves.

  Resolving endoliteindia.com...
  Connecting to endoliteindia.com[]:80... connected.
  HTTP request sent, awaiting response... 403 Forbidden
  22:16:51 ERROR 403: Forbidden.