BugBear is the next mass-mailing worm. It appeared in early October and has been spreading aggressively.
What it does
BugBear's mechanisms:
- Mass-mails itself using addresses harvested from the host (similar to Klez).
- Spreads over network shares.
- Installs a keystroke logger that captures passwords and credit-card data.
- Disables many antivirus and firewall products.
The keystroke logging is the most notable feature — earlier mass-mailers were primarily about propagation; BugBear is also about credential theft. The economic motivation is now explicit in the worm itself.
What is structurally novel
The combination of mass-mailing propagation with credential-harvesting payload is the structural innovation. Previous worms were primarily one or the other; BugBear is both.
The defensive implications: the cleanup is more involved. Removing BugBear is straightforward; changing every credential the user typed during the infection period is harder. Many users will not realise they need to do this.
What operators should do
The usual: strip executable attachments at the relay; apply antivirus signatures; update Outlook patches. Plus: educate users about credential rotation after compromise.
More as the worm develops.