The latest variant of the Sobig worm is hammering corporate networks, crashing email
servers, staggering Internet traffic and accounting for 70 percent of all email today, according to security analysts.
They also say Sobig-F, which was first detected Monday afternoon, is topping off
what is being called the worst worm week in history.
“This is unbelievable,” says Steve Sundermeier, vice president of products and services at
Central Command Inc., an anti-virus company based in Medina, Ohio. ”We have never seen this
sort of activity before… Sobig-F is causing substantial impact on business right now.
Almost three out of every four messages will be Sobig or it will be a failed delivery
message generated by Sobig.”
And Sundermeier says that’s not even the worst of it.
”Usually with mass-mailing viruses, you have a peak day early on,” adds Sundermeier.
”We’re not seeing any significant degradation right now. We haven’t even hit the peak yet.
That’s the really bad news.”
Sobig-F is a mass-mailing worm that also can spread via network shares, according to Sophos,
Inc., an anti-virus company based in Lynfield, Mass. When it arrives via email, the worm
poses as a .pif or .scr file. The sender’s address is spoofed. The subject lines used are
taken from a list, including ‘Re: That movie’, ‘Re: Wicked screensaver’, ‘Re: Approved’ and
‘Your details’.
In fact, the worm has falsely implicated Jupitermedia Corp. , the parent of this Web site, by forging e-mail headers listing admin@internet.com as the sender. Jupitermedia is working with law enforcement authorities in an attempt to stop the worm. (For more details, see this related story.)
Security experts say Sobig-F, which is just the latest in the malicious family of Sobig
worms, is hitting the Internet so hard because it is building on the impact of its Sobig
predecessors.
Sundermeier explains that earlier variants of Sobig have infected computers and then
downloaded Trojans to set the machines up to be hidden proxy servers. ”The author has a
huge army now for the next seeding,” he says. ”Every Sobig variant becomes bigger and
bigger, and we believe it’s because of this army he’s building of infected machines.”
Sobig-F is designed to die out on Sep. 10. That’s leading many analysts to suspect that the
next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious
success of Sobig-F, then the damage could be even worse.
”Sobig-F has quickly become the most widespread virus in the history of email worms and
it’s spreading very rapidly,” says Ken Dunham, malicious code intelligence manager with
Reston, Va.-based iDefense, Inc. ”Corporate networks are just being blasted with a ton of
emails, forcing them to be very aggressive with gateway and content-based filters. As
servers are busy processing all the extra email, it affects their ability to get legitimate
email to people.”
Dunham notes that there have been more than 1 million interceptions of the worm in the last
24 hours. The average significant worm will get 10,000 to 50,000 interceptions in a day.
”I’ve never seen anything like this,” says Dunham.
Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in
Lynfield, Mass., says Sobig-F is just capping off an extremely bad string of viruses.
The Blaster worm, which exploited what could be the most widespread Windows vulnerability,
first hit on Monday, Aug. 11. Blaster had IT managers hopping to patch up holes when several
variants of it hit in the next few days. Then Graybird-A, a backdoor Trojan, appeared
disguised as a patch for the Windows vulnerability that Blaster had been exploiting. After
that, Nachi-A and Dumaru-A both hit.
”This has just been the worst worm week ever,” says Belthoff. ”Worms this past week have
caused incredible slowdowns, if not complete disruption of networks… All you need is a few
infections to shut down an entire mail system.”