NEWS FROM THE LAB - Sunday, April 16, 2006

This site needs to be shut down Posted by Mikko @ 09:28 GMT

mit5There's another Bagle-related run going on. One of the download URLs that infected machines are polling for new content became active a couple of hours ago. This is one of those new nasty download links that provide a new, uniquely repacked version of the malware every 50 seconds or so.

This download link resides on a website belonging to some sort of real estate agency in Slovakia: www.bbrealservis.sk. We've been trying to get the download link on this site inactivated but so far nothing has happened. Easter holidays aren't exactly helping here either.

Bottom line: if you're a sysadmin, block access to any URL under www.bbrealservis.sk for now. If you have contacts to this Slovakian company or their upstream provider (Active 24), have them take action as soon as possible or have them contact us. Thanks.

Edited to add: We now detect all the modified versions of the downloaded file as SpamTool.Win32.Bagle.g.

Edited to add: The download link is now down (the site itself works fine but the malware has been removed). Thanks Palo!

Edited to add: Ten hours later, they are now repeating the same operation from a URL under www.benininfo.com. Abuse messages have been sent.

Edited to add [on Tuesday the 18th]: After several attempts, the benininfo.com site has finally been shut down by the ISP.

Edited to add [on Tuesday the 18th]: And now they've moved to www.bestcheapdomainregistration.info. Feel free to block access to this site at your gateways.

Edited to add [on Friday the 21st]: Three days later, www.bestcheapdomainregistration.info is shut down by their ISP. We haven't seen a replacement domain pop up yet.

Edited to add [on Sunday the 23rd]: Now the replacement appeared. Block www.binhaigolf.com.