Sobig-F timed for Trojan download tonight?
Twist in the tail
The prolific mass-mailing Sobig-F email worm, which has flooded computer users this week, could attempt to download a Trojan horse tonight, anti-virus companies are warning.
The worm has been programmed to automatically direct infected PCs to a server controlled by the virus writer from which a malicious program could be downloaded. It is timed to do so at 19:00-22:00 GMT on Fridays and Sundays.
At the moment, it is unclear what the download material will do, or even the Internet address of the server from which the worm will download malicious code. Likewise, it's unclear if any attack will succeed.
However, AV firms are concerned of the possibility that the worm will download code to launch another virus or spam attack, collect sensitive information, or delete files stored on an infected computer or network.
Graham Cluley, senior technology consultant at Sophos Anti-Virus, said that although it is easy to write detection programs for the virus it is far more complex to analyse its behaviour.
"Whoever wrote this virus has knowledge of how AV systems operate and has written the code with obfuscation in mind. The viral code is quite complicated," Cluley told us.
"Rather than giving a specific address from where the virus will download code, Sobig-F gives a roadmap of places to visit before reaching a final destination. This roadmap doesn't go anywhere as yet," he added.
Cluley reckons the Sobig-F virus was probably written by the same author of previous versions of the worm. The motives of the unknown virus author remain unclear.
Spam zombie network 'too successful'
Paul Wood, chief information security analyst at MessageLabs, theorised that the worm may have being written (like its predecessors) to create a network of spam zombies.
However, the success of latest variant might be counterproductive. The attention given to the outbreak means that if the unknown virus writers release spam engine code tonight this is likely to give clues that might be seized upon by investigators in the outbreak. And the high profile of the worm means this information will be given closer attention than might otherwise be the case.
Thus far, MessageLabs has blocked "in excess of three million copies" of Sobig, an "unheard of figure", Wood said. These viruses are emanating from large number of IP addresses - suggesting that many people have become infected.
AV vendors simply do not know with any certainty whether the worm will perform any malicious attractions tonight. Sophos' Cluley points out that many viruses have flopped before.
But that's no reason for complacency this time around.
Cluley said: "The main effect of Sobig-F to date has been to slow down the internet with the sheer quantity of emails it has generated. At 8pm tonight, most British companies will have left the office for the bank holiday weekend, but any infected computers that are left on have the potential to become zombies, doing whatever the virus writer wants. If the writer of Sobig succeeds in installing a Trojan on infected PCs, users could be in for a nasty shock when they return to work next week.
"What the worm downloads will not be known until this evening - it could display an offensive but largely harmless message or launch a malicious attack. But the download is timed to coincide with the regular business afternoon in the US, so users should be concerned about unauthorised code running on their computers. On Monday morning businesses in the Far East and Australia will be beginning their working day when the worm tries a second time to download unknown code from the net," Cluley added.
Sophos advises that the download can be avoided by configuring firewalls to block outgoing connection attempts to UDP port 8998. In addition, anti-virus software should be updated, and any infected PCs disinfected.
Are we losing the fight against malicious code?
Which is all well and good - but is it enough?
It's easily overlooked, but worth stating again, that Sobig-F is a Windows-only menace. Apple, Linux, OS/2 and Unix users simply can't get infected by the bug but are still being swapped with bounced messages from autorosponders. This is also true for Windows users who've taken adequate security precautions.
Also the effect of the worm is disproportionate. Although MessageLabs' statistics provide evidence that the virus is widely dispersed it seems to us that infected machines are throwing out a vast number of infectious emails.
Because the viruses are sent in spoofed messages sent to email addresses scoured from infected PCs, individuals whose email addresses are widely circulated on the Internet are disproportionately hit. That's why Sobig-F has generated so much copy in the UK nationals and online news services whereas, for most organisations, Blaster is probably the more serious problem.
Whichever way you look at it, there's a shitstorm out there
MessageLabs' Wood said that AV vendors only produced signatures to detect Sobig-F 12 hours into the initial outbreak at which point the virus had taken hold. That's a problem we've seen before. For example, rival managed services firm Avecho.com spotted the first instance of the less prolific Mimail email six days before it hit the radar of conventional AV firms.
The problems don't stop even when protection is in place. We're still getting bounced notifications about viral infections in spoofed email from firms running many different AV packages. MessageLabs says it has disabled this notification and we can only hope more firms follow suit (Symantec, McAfee in particular - please take note).
This particular problem, which we sense is more of an issue for dot com companies, is giving email firewall companies (such as Tumbleweed) an opportunity to tout their wares.
However, MessageLabs' Wood argues that filtering at the Internet gateway isn't a complete answer for the problem because firms are still obliged to waste bandwidth downloading spurious notifications.
Whichever way you look at it - it isn't pretty... ®