At the tail end of what could be called this summer’s “Worm Week,” antivirus and security experts watched carefully as the spreading SoBig.F variant flooded in-boxes around the Internet with millions of virus-laden e-mails.
Antivirus researchers said the worm, which was set to activate a barrage of e-mail from infected machines Friday, was not especially alarming but did take advantage of previous worms Blaster and Nachi and generated massive amounts of e-mail during its rampage.
“In terms of infected computers, I wouldn’t say it’s the worst ever,” McAfee Avert virus research engineer Craig Schmuger told TechNewsWorld. “In terms of generating e-mail traffic, it is the worst.”
Mystery Code Countdown
As home and corporate users were deluged with e-mail caused by SoBig.F, security experts watched closely for effects of a secondary attack programmed into the worm.
Infected Windows computers were instructed to download an unknown piece of software from a list of 20 Internet addresses every Friday and Sunday afternoon.
After the programmed activation began on Friday, MessageLabs chief technology officer Mark Sunner told TechNewsWorld that the 20 targeted machines had been taken offline and that there were no indications that SoBig.F’s coded instructions were having additional impact.
You’ve Got Worm
Schmuger, who said McAfee partner AOL had reported 11.5 million infected e-mail messages, indicated that even though SoBig.F requires users to open e-mail and click on an attachment, the worm was having widespread impact.
The worm spoofs the sender field of the e-mail, making it appear to have come from an acquaintance. Once unleashed, the worm harvests e-mail addresses from infected computers to continue propagating.
Symantec Security Response group product manager Kevin Haley told TechNewsWorld that although most corporate IT systems block the executable attachments included in SoBig.F, the undeliverable reports bouncing back to hijacked sender addresses were adding to the e-mail onslaught.
Bad for Business
Haley said the vast majority of SoBig.F submissions to Symantec was coming from home users, though some corporations also had been infected.
Schmuger said the worm was challenging small businesses without the IT staff to manage and secure systems. For larger corporations, the difficulty is in dealing with large numbers of computers and users, according to Schmuger, who said e-mail servers were taking on burdensome loads as a result of the outbreak.
Schmuger added that securing corporate systems is made more difficult by remote access and by home workers using their own systems to link to enterprise networks.
Spam Gets Slippery
The worm, which hit millions of users worldwide and, according to some reports, nearly one-third of e-mail users in China, takes advantage of spamming tools and techniques to spread, a technique that antivirus experts called a continuing problem.
“It’s a growing trend,” Schmuger said. “They compromise systems and open relays they’re allowed to let software through.”
Schmuger said a spam-like worm such as SoBig.F could be used to spread millions of e-mails via “porn dialers” — mail applications that send users to pornography sites — and through trojans — malicious code meant to cede control of a computer to a remote attacker or program.
While MessageLabs called SoBig.F’s spread the fastest in computer virus history, Haley downplayed the variant’s impact, citing higher submission rates for the Klez.H and BugBear viruses.
But Schmuger said that by hitting home and corporate machines as users and IT staff were dealing with previous outbreaks of Blaster and Nachi, SoBig.F managed to be more disruptive.
“When you look at the worms individually, they’re not that out of the ordinary in the grand scheme of things,” he said. “It’s really just the compressed time scale that is alarming. We may see more virus writers trying to seize on the opportunity of other worms.”
Today is Sept 12. After a two day pause, I’m being hit with a rush of sobig-f infected email that Norton AV with 9/11/2003 definitions is treating very differently than before. It is completely gutting the message and giving me the popup that says it has done so. (All at my request obviously, but I haven’t changed anything except allowed auto-update to do the definitions.)
Comments and suggestions would be appreciated. They can be directed to [email protected]