Signature-based antivirus can't detect the new BagleSeptember 23, 2005
The first variants were detected on Monday and have increased dramatically throughout the past week. ESET's Threat Labs determined that the variants are being modified to avoid detection by signature-based antivirus programs, once again underlining the need for proactive protection.
The recent increase of Bagle variants are being spammed out in large quantities through a distributed network of compromised machines. Some of the variants are older versions of the Bagle virus, repacked to avoid detection.
The new Bagles are Trojan downloaders, which retrieve and install malicious files from a pre-programmed Web site location and create a backdoor on a machine. This distribution mechanism causes variants to spread outside of the spam channels and leaves unprotected users or systems with outdated virus signatures vulnerable to attack.
ESET's Threat Labs have detected that new variants are being released, on average, every two hours. Different waves of the variants are issued with unique changes designed to avoid signature-based detections, leaving many antivirus companies scrambling to respond to the constant barrage of emerging threats. Some of the worms were designed to get around even advanced heuristics systems.
"ESET's Virus Radar system was detecting over 10,000 messages per hour carrying new, heuristically-detected Bagle variants on Tuesday and Wednesday," said Andrew Lee, chief technology officer of ESET. "At this rapid reproduction and distribution rate, there is no way that traditional, signature-based antivirus software can protect users from the Bagle variants."
ESET's Virus Radar (www.virusradar.com), a real-time malware tracking tool, identified the new Bagle variants using NOD32. Virus Radar provides site visitors with access to in-depth analysis of the latest malicious outbreaks and processes approximately four million email messages per day to provide information such as the exact date a virus was first detected and its current detection rate. Virus Radar is also capable of tracking the progression of a single virus over a given period -- in some instances from the earliest heuristic detection of a new virus to the point where the virus disappears.
Although one or two variants were not detected immediately, ESET updated both the signatures and their ThreatSense heuristics, ensuring that all further variants were caught proactively.
ESET is providing a free remover for the most prevalent variants of the Bagle worms, which can be downloaded at www.eset.com