Friday, December 3, 2021

Sobig-F Overruns Networks, Email Traffic

The latest variant of the Sobig worm is hammering corporate networks, crashing email

servers, staggering Internet traffic and accounting for 70 percent of all email today, according to security analysts.

They also say Sobig-F, which was first detected Monday afternoon, is topping off

what is being called the worst worm week in history.

“This is unbelievable,” says Steve Sundermeier, vice president of products and services at

Central Command Inc., an anti-virus company based in Medina, Ohio. ”We have never seen this

sort of activity before… Sobig-F is causing substantial impact on business right now.

Almost three out of every four messages will be Sobig or it will be a failed delivery

message generated by Sobig.”

And Sundermeier says that’s not even the worst of it.

”Usually with mass-mailing viruses, you have a peak day early on,” adds Sundermeier.

”We’re not seeing any significant degradation right now. We haven’t even hit the peak yet.

That’s the really bad news.”

Sobig-F is a mass-mailing worm that also can spread via network shares, according to Sophos,

Inc., an anti-virus company based in Lynfield, Mass. When it arrives via email, the worm

poses as a .pif or .scr file. The sender’s address is spoofed. The subject lines used are

taken from a list, including ‘Re: That movie’, ‘Re: Wicked screensaver’, ‘Re: Approved’ and

‘Your details’.

In fact, the worm has falsely implicated Jupitermedia Corp. , the parent of this Web site, by forging e-mail headers listing [email protected] as the sender. Jupitermedia is working with law enforcement authorities in an attempt to stop the worm. (For more details, see this related story.)

Security experts say Sobig-F, which is just the latest in the malicious family of Sobig

worms, is hitting the Internet so hard because it is building on the impact of its Sobig

predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and then

downloaded Trojans to set the machines up to be hidden proxy servers. ”The author has a

huge army now for the next seeding,” he says. ”Every Sobig variant becomes bigger and

bigger, and we believe it’s because of this army he’s building of infected machines.”

Sobig-F is designed to die out on Sep. 10. That’s leading many analysts to suspect that the

next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious

success of Sobig-F, then the damage could be even worse.

”Sobig-F has quickly become the most widespread virus in the history of email worms and

it’s spreading very rapidly,” says Ken Dunham, malicious code intelligence manager with

Reston, Va.-based iDefense, Inc. ”Corporate networks are just being blasted with a ton of

emails, forcing them to be very aggressive with gateway and content-based filters. As

servers are busy processing all the extra email, it affects their ability to get legitimate

email to people.”

Dunham notes that there have been more than 1 million interceptions of the worm in the last

24 hours. The average significant worm will get 10,000 to 50,000 interceptions in a day.

”I’ve never seen anything like this,” says Dunham.

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in

Lynfield, Mass., says Sobig-F is just capping off an extremely bad string of viruses.

The Blaster worm, which exploited what could be the most widespread Windows vulnerability,

first hit on Monday, Aug. 11. Blaster had IT managers hopping to patch up holes when several

variants of it hit in the next few days. Then Graybird-A, a backdoor Trojan, appeared

disguised as a patch for the Windows vulnerability that Blaster had been exploiting. After

that, Nachi-A and Dumaru-A both hit.

”This has just been the worst worm week ever,” says Belthoff. ”Worms this past week have

caused incredible slowdowns, if not complete disruption of networks… All you need is a few

infections to shut down an entire mail system.”

Similar articles

Latest Articles