Despite only being active for 10 days in the entire month, the Sobig-F virus wreaked enough
havoc to retain its place as one of the most destructive viruses for the month of September.
But regardless of Sobig-F and the other viruses active last month, September was fairly
quiet in the malicious code world. And after August went down in history as the month with
the most virus damage, September gave IT managers and anti-virus experts time to regroup and
prepare for the next onslaught.
”With August, we had Blaster and Sobig and Nachi,” says Steven Sundermeier, a vice
president with anti-virus company Central Command, Inc., based in Medina, Ohio. ”September
gave everyone a chance to catch up. We’re all trying to gear up for the next big virus,
whether it’s the next Sobig or the Son of Blaster. We’re absolutely gearing up for the next
big outbreak, and September let us do that.”
Two separate anti-virus companies ranked the latest Sobig variant in their infamous lists of
the most malicious viruses in the wild.
Central Command put Sobig-F in its Number One spot, noting that accounted for 67.5 percent
of all virus attacks last month even though it was only active until Sep. 10. Sophos, Inc.,
an anti-virus vendor based in Lynnfield, Mass., put Sobig-F in its fourth spot, behind
Gibe-F, Dumaru-A and Mimail-A.
”This shows how powerful Sobig-F was,” says Sundermeier. ”In just the first 10 days of
September it accumulated all of these attacks. If it hadn’t been deactivated on Sep. 10,
you’d see that 67 percent looking more like 80 percent to 90 percent.”
Sobig-F is a mass-mailing worm that also can spread via network shares. Security analysts
speculate that the virus caused so much damage because the whole string of Sobig viruses
were designed to build on the inroads made by the previous variant. Sobig-E, for example,
wormed its way into millions of computers and then left those doors open. Sobig-F went
through those already open doors and then went from there.
The author of Sobig-F, designed it so it would die out on Sep. 10. That is leading many
security analysts to believe that the next variant in the Sobig family will soon be on its
way. And if it builds on the malicious success of Sobig-F, analysts say the damage could be
The Gibe-C worm, also known as Swen, also caused its share of trouble last month.
Central Command ranked it in second place, noting that Gibe-C accounted for 8.6 percent of
all virus attacks last month. Sophos, however, gave the virus its top malicious spot, saying
they recorded that it accounted for 23.5 percent of all attacks.
Gibe-C played on computer users’ fears by disguising itself as a cumulative security patch
sent out by Microsoft. The email closely mirrored Microsoft’s site and tricked people into
downloading another virus.
While Gibe caused some mayhem, many security analysts have been expecting a huge hit. The
next variant of Sobig was widely believed to be coming around the 9/11 anniversary. The next
Blaster, often referred to as the Son of Blaster, has been lurking just off center stage.
But they didn’t hit last month.
Some analysts are wondering if virus writers are lying low, waiting for the crush of
attention — both from IT managers moving quickly to patch their systems, and law
enforcement moving to quickly lock up and prosecute malicious authors — to pass.
”My gut tells me they’ve kind of gone underground for a time,” says Dan Woolley, a vice
president with Computer Associates. ”The guys out there writing bad code have a lot of heat
on them and they’ve gone underground a little. Maybe they’ll stay low till Christmas or the
new year. This is just my gut feeling.”
”That may very well be,” he says. ”Word is getting out that charges will be brought.”
But Sundermeier doesn’t think the virus writers will be laying low for long.