A computer virus that specifically targets financial institutions continued to spread around the Internet on Tuesday, though it appeared BugBear.B was starting to run out of steam. The sophisticated snooping program made its way onto thousands of computers worldwide after it was released early Thursday morning. But even as the outbreak is contained, antivirus experts are wondering if this unique program has ushered in a new era of computer viruses designed to commit white-collar crimes.
BUGBEAR.B, AN UPGRADED version of a worm released last year, spread to 164 countries in the first 24 hours. By Tuesday, UK-based MessageLabs Inc. had trapped 277,000 copies of the program headed for its customers. Most antivirus vendors maintained high risk ratings on the worm, but said far fewer infections were being reported than last week.
BugBear got the attention of antivirus firms because of its elaborate snooping functions. Once it infects a machine, it installs keylogging software, back-door software, and in some cases even attempts to control infected computers’ modems.
But the program’s most suspicious feature is its ability to sense if it has infiltrated a computer that belongs to a financial institution by checking a list of 1,300 corporate domain names — the list includes firms like J.P. Morgan Chase & Co., American Express Co., and Bank of America Corp.
If so, it is directed to steal passwords and other critical data, and e-mail the information out across the Internet — most likely to the virus author.
The FBI is investigating the incident, spokesman Bill Murray said — and industry groups reacted by sending information through a Homeland Security Department warning system.
“This is the first time I’ve seen a worm so aggressively target such a wide range of financial organizations,” said Ken Dunham, virus expert at iDefense Inc. “The author of BugBear.B is clearly motivated by criminal means, to perform fraud and theft on a widespread basis from financial organizations as well as from individuals.”
BugBear is persistent in its efforts to steal such critical data. If the infected financial computer is not connected to the Internet for some reason, the virus attempts to wake the computer’s modem and get it to dial out for Net access. The list of targeted financial institutions included domains in dozens of countries around the globe, including Spain, Argentina, Iceland, Slovakia, Korea, and South Africa.
”(The virus writer) really wanted to get into those machines,” said McAfee Fellow Jimmy Kuo. U.S. financial institutions probably aren’t at risk from this technique, Kuo said, because most don’t have modems attached to their critical computers any more. But “less technologically-advanced countries might,” he said.
Industry executives told Treasury Department officials and other banking regulators during a meeting Monday in Washington that while they were concerned that the infection targeted them, they were unaffected because of tight corporate security.
Vincent Gullotto, vice president of McAfee AVERT Labs at Network Associates, said there’s no evidence the worm actually was successful at stealing bank data — and he felt its programming was probably not clever enough to pose a real threat to heavily-protected financial machines. Still, there is concern among the industry because of the nature of the attack, he said.
“There are administrators at financial institutions that said to me they have to be concerned,” Gullotto said. ”(Virus writers) could be laying some groundwork to see what type of things may or may not work.”
Also of concern: Authorities have no real leads on who wrote the program, or even the likely nationality of the author, Gullotto said. That’s unusual — virus writers typically leave calling cards inside their work, or somehow tip off their location within their programming code. But the BugBear author was apparently careful to cover his or her tracks, suggesting the program is not a typical Internet prank but rather a serious attempt at crime.
“This is not a script kid. This is clearly someone with knowledge and experience, maybe even experience in financial services areas,” Gullotto said. He said he was concerned that it might signal a trend of virus writers “trying to create a new kind of white-collar crime.”
STANFORD HIT While it’s not clear that any financial institutions were hit, there have been thousands of victims. Among them: Stanford University. A notice on the school’s Web site said the school was “severely impacted” by the worm, and school administrators shut down outgoing e-mail for part of Thursday.
The school’s computer Security Services group indicated on the Web site it had stemmed a potentially embarrassing incident for Stanford. One of BugBear’s components involves attaching random Microsoft Office documents from one infected machine and sending them along to other users as the worm spreads. According to the school’s Web site, computer administrators intercepted messages containing “salary and bonus spreadsheets,” along with other confidential documents.
“The exporting of confidential information is a much more significant event than just an infection,” Vincent Weafer, virus expert at Symantec Corp., said. “It involves the potential loss of privacy. People are a lot more concerned about that.”
BugBear.B is jam-packed with other malicious tactics. Its keylogging component e-mails log files to a set of 25 e-mail addresses located around the world every two hours. Infected corporations will even find their networked printers spewing out pages of nonsense, as the program sends bad data around the network.
In an attempt to avoid detection, BugBear attempts to turn off all antivirus programs, and it shuts down other security software. In addition, it uses a particularly nasty flaw in Microsoft’s Internet Explorer program and its implementation by Microsoft’s Outlook e-mail reader that allows the virus to infect machines whenever a victim simply previews an e-mail message loaded with the program.
BugBear spreads via e-mail and local networks. It’s hard to warn users what to watch for — the subject line, message body, and attachment are all selected from a random list, or chosen from file names already in the target computer’s “My Documents” folder. The infected file itself has either a .exe, .scr, or a .pif extension — blocking those extensions will protect e-mail users against infection.
Once BugBear hits a machine, it can be hard to remove, Weafer said, because the worm disables antivirus products that consumers normally use to “clean” infected computers. Antivirus firms are offering special cleaning instructions on their Web sites. But that feature means consumers will probably be dealing with BugBear for a while.
“The original BugBear is still in our top 20 list,” Weafer said. “This one will be around for a long time.”
The Associated Press contributed to this report.