Memories of the Bugbear virus – ten years on

Ten years ago this month, in October 2002, there was one virus you were much more likely to see than any other.

It was called Bugbear, and it was aptly named.

Like much malware of its era, Bugbear’s virulence and prevalence came from the fact that it was its own self-contained spambot.

Bugbear scoured your hard disk for email addresses, looking in likely locations such as email files, and then bombarded those unlucky recipients with copies of itself.

Bugbear attached itself to emails using one of a range of now familiar sounding subject lines:

Once you were infected, Bugbear set about dropping a keylogger and secretly recording what you typed.

It also started a clandestine web server on port 36974, so that the crooks (or anyone else who realised you were infected – such as anyone to whom you’d emailed the virus) could connect to your PC any time they liked and rifle through your files and your network.

And Bugbear set out to kill off a whole raft of security-related processes, from ACKWIN32.EXE to ZONEALARM.EXE. This is a malware “feature” known in good Spy-vs-Spy style as anti-anti-virus.

Ten years on, and I hope that you’d back yourself to spot this sort of malicious spam by subject alone. I also hope you’re much more cautious about opening unsolicited attachments, and I trust that you’re much more restrictive about the sort of files you let through your email gateway.

But it seems that not everyone has learned enough caution in the past ten years. Cybercrooks still make heavy use of unsolicited attachments to spread their malware, and this vector still seems to work. Recent examples include bogus meeting reports, fake traffic tickets, and made-up Facebook notifications.

The attack vector (dodgy emails) and the risks (malware infection) remain the same. All that’s really changed is that the crooks rely much less heavily these days on true viruses.

A virus is a piece of malware which spreads of its own accord, like the Bugbear worm [*] did in 2002.

In some ways, being a virus is a strength. Bugbear doesn’t rely on your PC browsing the web, clicking on links, or fetching lists of new victims to spam. It’s self-contained – it finds its own victims, constructs its own spam, and sends itself autonomously. It’s the ultimate decentralised malware distribution mechanism.

But this sort of strength is also a weakness. Because the malware is autonomous, and can work in isolation, you only need to intercept one sample to begin to analyse it and understand its tricks. Granted, it might be very hard to analyse, but at least you have everything you need to get started.

That’s why most of the malware items you see today are Trojans (more properly, Trojan horses). A Trojan, loosely speaking, is just malware which minds its own business, and doesn’t attempt to spread any further.

Distributing Trojans is most commonly done via malevolent or compromised websites, since most users these days use the web much more actively than they use email. Indeed, for the millions of committed webmail users out there, the web has entirely replaced email in their internet diet.

That makes our job harder, since the malware components which generate and distribute new samples are hidden “in the cloud”, running on the malevolent web server. We don’t get a copy of the malware generator code along with the malware.

Sadly, getting infected with Trojans instead of viruses doesn’t automatically make things easier for you. It certainly doesn’t assuage your pain, since it’s usually the side-effects, or payloads, of viruses and Trojans which cause the real risk: stealing data, sending more spam, attacking websites, and co-opting you against your will (and often entirely without your knowledge) into online cybercriminality .

By the way, there’s one thing that your IT manager really won’t miss about Bugbear: an unexpected part of its network spreading payload. As we wrote dispassionately in our FAQ of ten years ago:

Does Bugbear have any other side-effects?

Bugbear does not infect [existing] files. However, it attempts to copy itself to any available network resources, which can include printers. The printers themselves cannot be infected, but they may start to print out the worm's code, which will waste a lot of paper.

Unsociable, environmentally unsound and technically careless malware writers. Who’d ever have thought it?

Were you there when it happened? Were you part of the fight against Bugbear? If so, we invite you to leave a comment below. Tell us how you got along during the outbreak – everyone loves a good “war story,” especially if there’s a funny side. (You’re allowed to laugh at it, ten years after.)

Has cleaning up after malware got easier or harder in the past ten years? Have your users become safer or slacker?

[*] Some security personalities will spend as long as you’ve got, and often much longer, explaining that viruses and worms form disjoint subsets of malware, and thus that a worm is not a virus. They are wrong. Ignore them. We need a generic term for “self-spreading malware”, and we have a widely-understood word for just that purpose, virus. A worm is just a special sort of virus that doesn’t infect existing files. Instead, worms are self-contained. In set notation, {all worms} ⊂ {all viruses} ⊂ {all malware}.

Increasingly, the word virus is becoming, through the process of metonymy, a synonym for malware in general. Some security personalities will spend longer than you’ve got, and often very, very much longer than that, telling you this is incorrect, outrageous, and that Something Ought to Be Done. They are right, but it’s much easier to ignore them, or to agree to listen only if they buy you a drink to sustain you while they talk. Make it a double. You’ll need it.

Image of MEMORY LANE street sign courtesy of Shutterstock.

Trojan Horse image from Wikipedia.