A worm's evolution
Tomer Honen eSafe CSRT, Aladdin Knowledge Systems Ltd.
Malicious codes come and go; some even spawn a few variants. The Bagle family of worms is perhaps the first group of
viruses to show a steady curve of improvement from one cluster of variants to the next. The original and its initial
'reincarnations' demonstrated little original thought. The first version of the worm to show some innovation was Bagle.F,
which was sent in the usual formats, but also as a password-protected archive (with the password included in the message
body). Later versions used a dynamic message layout; then the worm became a polymorphic file-infector - a huge
technological leap; then the password was gone from the body - replaced by an image of a password (to elude AV
solutions which looked for the password in the message). Finally, the attachment was altogether gone - replaced by a
script that automatically downloads and executes the worm.
While the first version of the worm could have been created by any novice coder, later versions showed superior coding
abilities and some original thinking. It is both interesting and disturbing to study this unique development of a
single worm and its variants. As this worm's code continues to be upgraded, it is anyone's guess what other features
later versions of this worm will possess.
