Sobig-F timed for Trojan download tonight?

Twist in the tail

  • alert
  • submit to reddit

Seven Steps to Software Security

The prolific mass-mailing Sobig-F email worm, which has flooded computer users this week, could attempt to download a Trojan horse tonight, anti-virus companies are warning.

The worm has been programmed to automatically direct infected PCs to a server controlled by the virus writer from which a malicious program could be downloaded. It is timed to do so at 19:00-22:00 GMT on Fridays and Sundays.

At the moment, it is unclear what the download material will do, or even the Internet address of the server from which the worm will download malicious code. Likewise, it's unclear if any attack will succeed.

However, AV firms are concerned of the possibility that the worm will download code to launch another virus or spam attack, collect sensitive information, or delete files stored on an infected computer or network.

Graham Cluley, senior technology consultant at Sophos Anti-Virus, said that although it is easy to write detection programs for the virus it is far more complex to analyse its behaviour.

"Whoever wrote this virus has knowledge of how AV systems operate and has written the code with obfuscation in mind. The viral code is quite complicated," Cluley told us.

"Rather than giving a specific address from where the virus will download code, Sobig-F gives a roadmap of places to visit before reaching a final destination. This roadmap doesn't go anywhere as yet," he added.

Cluley reckons the Sobig-F virus was probably written by the same author of previous versions of the worm. The motives of the unknown virus author remain unclear.

Spam zombie network 'too successful'
Paul Wood, chief information security analyst at MessageLabs, theorised that the worm may have being written (like its predecessors) to create a network of spam zombies.

However, the success of latest variant might be counterproductive. The attention given to the outbreak means that if the unknown virus writers release spam engine code tonight this is likely to give clues that might be seized upon by investigators in the outbreak. And the high profile of the worm means this information will be given closer attention than might otherwise be the case.

Thus far, MessageLabs has blocked "in excess of three million copies" of Sobig, an "unheard of figure", Wood said. These viruses are emanating from large number of IP addresses - suggesting that many people have become infected.


AV vendors simply do not know with any certainty whether the worm will perform any malicious attractions tonight. Sophos' Cluley points out that many viruses have flopped before.

But that's no reason for complacency this time around.

Cluley said: "The main effect of Sobig-F to date has been to slow down the internet with the sheer quantity of emails it has generated. At 8pm tonight, most British companies will have left the office for the bank holiday weekend, but any infected computers that are left on have the potential to become zombies, doing whatever the virus writer wants. If the writer of Sobig succeeds in installing a Trojan on infected PCs, users could be in for a nasty shock when they return to work next week.

"What the worm downloads will not be known until this evening - it could display an offensive but largely harmless message or launch a malicious attack. But the download is timed to coincide with the regular business afternoon in the US, so users should be concerned about unauthorised code running on their computers. On Monday morning businesses in the Far East and Australia will be beginning their working day when the worm tries a second time to download unknown code from the net," Cluley added.

Sophos advises that the download can be avoided by configuring firewalls to block outgoing connection attempts to UDP port 8998. In addition, anti-virus software should be updated, and any infected PCs disinfected.

Are we losing the fight against malicious code?
Which is all well and good - but is it enough?

It's easily overlooked, but worth stating again, that Sobig-F is a Windows-only menace. Apple, Linux, OS/2 and Unix users simply can't get infected by the bug but are still being swapped with bounced messages from autorosponders. This is also true for Windows users who've taken adequate security precautions.

Also the effect of the worm is disproportionate. Although MessageLabs' statistics provide evidence that the virus is widely dispersed it seems to us that infected machines are throwing out a vast number of infectious emails.

Because the viruses are sent in spoofed messages sent to email addresses scoured from infected PCs, individuals whose email addresses are widely circulated on the Internet are disproportionately hit. That's why Sobig-F has generated so much copy in the UK nationals and online news services whereas, for most organisations, Blaster is probably the more serious problem.

Whichever way you look at it, there's a shitstorm out there

MessageLabs' Wood said that AV vendors only produced signatures to detect Sobig-F 12 hours into the initial outbreak at which point the virus had taken hold. That's a problem we've seen before. For example, rival managed services firm Avecho.com spotted the first instance of the less prolific Mimail email six days before it hit the radar of conventional AV firms.

The problems don't stop even when protection is in place. We're still getting bounced notifications about viral infections in spoofed email from firms running many different AV packages. MessageLabs says it has disabled this notification and we can only hope more firms follow suit (Symantec, McAfee in particular - please take note).

This particular problem, which we sense is more of an issue for dot com companies, is giving email firewall companies (such as Tumbleweed) an opportunity to tout their wares.

However, MessageLabs' Wood argues that filtering at the Internet gateway isn't a complete answer for the problem because firms are still obliged to waste bandwidth downloading spurious notifications.

Whichever way you look at it - it isn't pretty... ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.