Fighting malware and spam

Solving the Bagle jigsaw

Scott Molenkamp Computer Associates
Hamish O’Dea Computer Associates

In recent times, there has been a developing trend in the malware scene - using viruses and worms to create a network of compromised systems. With control of enough machines, an attacker can set up a launch pad for further misdeeds. On a basic level, they open a way to steal sensitive information such as passwords, banking details, and email addresses from a great number of users. However, a base of compromised systems also allows someone to launch distributed attacks - specifically denial of service, spam, and mass propagation of further malware to expand the size and reach of the attacker's power.

This paper will consider one extended family of malware that has been used in creating such a network. We will examine how it started with Bagle, a humble mass-mailing virus, but expanded into a rogue's gallery of interconnected malware, including password stealers, backdoor proxies, downloaders, spam tools and more. We will also see how the Bagle mass-mailer has evolved beyond the standard definition of an email worm to be just one part of this collective, but one that plays an important role in connecting all the pieces into a whole and enabling the creation of the Bagle network.

We will look at when and how the Bagle network has been updated and expanded since early 2004. From this, we will try to deduce why the group that controls the network has developed and used their creation the way they have. We will demonstrate ways in which someone could, and probably does, make profit from Bagle and related malware.

The entire Bagle picture remains a puzzle to most people. This paper will attempt to explain how all of the pieces fit together, creating something greater than the sum of its parts. Does Bagle and its brood represent the new standard for Internet malware?