Sobig-F timed for Trojan download tonight?

Twist in the tail

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

The prolific mass-mailing Sobig-F email worm, which has flooded computer users this week, could attempt to download a Trojan horse tonight, anti-virus companies are warning.

The worm has been programmed to automatically direct infected PCs to a server controlled by the virus writer from which a malicious program could be downloaded. It is timed to do so at 19:00-22:00 GMT on Fridays and Sundays.

At the moment, it is unclear what the download material will do, or even the Internet address of the server from which the worm will download malicious code. Likewise, it's unclear if any attack will succeed.

However, AV firms are concerned of the possibility that the worm will download code to launch another virus or spam attack, collect sensitive information, or delete files stored on an infected computer or network.

Graham Cluley, senior technology consultant at Sophos Anti-Virus, said that although it is easy to write detection programs for the virus it is far more complex to analyse its behaviour.

"Whoever wrote this virus has knowledge of how AV systems operate and has written the code with obfuscation in mind. The viral code is quite complicated," Cluley told us.

"Rather than giving a specific address from where the virus will download code, Sobig-F gives a roadmap of places to visit before reaching a final destination. This roadmap doesn't go anywhere as yet," he added.

Cluley reckons the Sobig-F virus was probably written by the same author of previous versions of the worm. The motives of the unknown virus author remain unclear.

Spam zombie network 'too successful'
Paul Wood, chief information security analyst at MessageLabs, theorised that the worm may have being written (like its predecessors) to create a network of spam zombies.

However, the success of latest variant might be counterproductive. The attention given to the outbreak means that if the unknown virus writers release spam engine code tonight this is likely to give clues that might be seized upon by investigators in the outbreak. And the high profile of the worm means this information will be given closer attention than might otherwise be the case.

Thus far, MessageLabs has blocked "in excess of three million copies" of Sobig, an "unheard of figure", Wood said. These viruses are emanating from large number of IP addresses - suggesting that many people have become infected.


AV vendors simply do not know with any certainty whether the worm will perform any malicious attractions tonight. Sophos' Cluley points out that many viruses have flopped before.

But that's no reason for complacency this time around.

Cluley said: "The main effect of Sobig-F to date has been to slow down the internet with the sheer quantity of emails it has generated. At 8pm tonight, most British companies will have left the office for the bank holiday weekend, but any infected computers that are left on have the potential to become zombies, doing whatever the virus writer wants. If the writer of Sobig succeeds in installing a Trojan on infected PCs, users could be in for a nasty shock when they return to work next week.

"What the worm downloads will not be known until this evening - it could display an offensive but largely harmless message or launch a malicious attack. But the download is timed to coincide with the regular business afternoon in the US, so users should be concerned about unauthorised code running on their computers. On Monday morning businesses in the Far East and Australia will be beginning their working day when the worm tries a second time to download unknown code from the net," Cluley added.

Sophos advises that the download can be avoided by configuring firewalls to block outgoing connection attempts to UDP port 8998. In addition, anti-virus software should be updated, and any infected PCs disinfected.

Are we losing the fight against malicious code?
Which is all well and good - but is it enough?

It's easily overlooked, but worth stating again, that Sobig-F is a Windows-only menace. Apple, Linux, OS/2 and Unix users simply can't get infected by the bug but are still being swapped with bounced messages from autorosponders. This is also true for Windows users who've taken adequate security precautions.

Also the effect of the worm is disproportionate. Although MessageLabs' statistics provide evidence that the virus is widely dispersed it seems to us that infected machines are throwing out a vast number of infectious emails.

Because the viruses are sent in spoofed messages sent to email addresses scoured from infected PCs, individuals whose email addresses are widely circulated on the Internet are disproportionately hit. That's why Sobig-F has generated so much copy in the UK nationals and online news services whereas, for most organisations, Blaster is probably the more serious problem.

Whichever way you look at it, there's a shitstorm out there

MessageLabs' Wood said that AV vendors only produced signatures to detect Sobig-F 12 hours into the initial outbreak at which point the virus had taken hold. That's a problem we've seen before. For example, rival managed services firm Avecho.com spotted the first instance of the less prolific Mimail email six days before it hit the radar of conventional AV firms.

The problems don't stop even when protection is in place. We're still getting bounced notifications about viral infections in spoofed email from firms running many different AV packages. MessageLabs says it has disabled this notification and we can only hope more firms follow suit (Symantec, McAfee in particular - please take note).

This particular problem, which we sense is more of an issue for dot com companies, is giving email firewall companies (such as Tumbleweed) an opportunity to tout their wares.

However, MessageLabs' Wood argues that filtering at the Internet gateway isn't a complete answer for the problem because firms are still obliged to waste bandwidth downloading spurious notifications.

Whichever way you look at it - it isn't pretty... ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.