Feds escape Bugbear bite

The variant of the Bugbear computer worm that started to spread throughout the Internet on June 5 doesn't appear to have adversely impacted federal agencies, according to initial reports from cybersecurity experts.

Hit by a wave of fast-spreading, Internet-borne viruses over the past few years, agencies, like many corporations, have moved to shore up virus protection and cyberdefenses, agency security officers and security experts noted.

Bugbear is an Internet mass-mailing worm. Once activated on a computer, the worm e-mails itself to addresses found on the local system. The sender address in a message can be spoofed, or forged, and so is not a direct indication of an infected user. Bugbear spreads using network shares and by mailing itself using the default Simple Mail Transfer Protocol engine. Users will know that they have been infected by the presence of a non-standard .EXE file in the startup folder, virus experts said.

"We have not seen any of our government customers infected," said Peter Stapleton, product marketing manager at NetSec Inc., which provides security services for nine cabinet-level departments including the departments of Agriculture, Justice and the Treasury.

"We've advised all of our clients they should not allow executable files through the e-mail server," Stapleton said.

Blocking executable content at the e-mail gateway has become a standard policy of many agencies over the past two to three years, said Jimmy Kuo, a member of Network Associates Inc.'s AntiVirus Emergency Response Team (AVERT). As a result, Network Associates' government clients, such as the Defense Information Systems Agency and the Department of Veterans Affairs, weren't infected with the Bugbear variant.

Veterans Affairs cybersecurity chief Bruce Brody confirmed Kuo's claims, noting that Bugbear's impact was "negligible." He added, "Our antivirus defenses are robust."

The Department of Defense also viewed Bugbear as a low-level threat. "The Joint Task Force-Computer Network Operations, in coordination with the Department of Defense Computer Emergency Virus Response Team, assesses viruses and their potential impact to DOD systems," according to a JTF-CNO spokesman in a statement e-mailed to FCW. The DOD works closely with industry partners and virus protection vendors to ensure that the agency stays up to date on antivirus signatures and that they are deployed across DOD's global information network. "Because we continuously and rapidly take such proactive measures, the JTF-CNO and the DOD CERT have assessed the impact of the named viruses as low threat and note no significant impact to date," the DOD spokesman said.

The Bugbear variant was still spreading through the Internet on Friday, prompting virus protection teams at Network Associates and Symantec Corp. to classify the worm as a high risk.

Symantec Security Response analysts had tracked 1,002 submissions of the variant, known as W32.Bugbear.B, by Friday, said Vincent Weafer, senior director of Symantec Security Response. Symantec analysts don't think the worm's spread has peaked yet. By comparison, the original Bugbear worm was discovered on Sept. 30, 2002 and peaked in its fifth day with 6,888 submissions.

Dan Caterinicchia and Judi Hasson contributed to this story.