TechWeb

Newest Sober Variant: Biggest Worm Attack Of The Year

Nov 23, 2005 (10:11 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=174401802


The Sober worm outbreak that began in earnest Tuesday has been dubbed the world's largest mass-mailed malware attack of 2005 by a Finnish security firm.

"The numbers we're seeing [with Sober] are just huge. This is the largest e-mail worm outbreak of the year so far," wrote Miko Hyppönen, chief research officer of F-Secure, in an online alert.

Meanwhile, Denver-based MX Logic said that Sober was accounting for one in every eight e-mails.

The newest member of the Sober worm clan -- called Sober.x, Sober.y, and Sober.z by various anti-virus vendors -- began spreading Monday and quickly picked up steam Tuesday. Analysts pinned its success on social engineering expertise, technical skill, or a combination of the two.

Many of the messages arrive with fake From: addresses of the FBI, CIA, and overseas police agencies such as Germany's Bundeskriminalamt, for example, to trick users into opening the attachment. Others pose as video clips of pseudo-celebrities such as Paris Hilton and Nicole Richie.

Like other Sober variants, this one spreads using its own SMTP engine to send copies of itself to addresses it hijacks from compromised computers. SMTP use port 25 to transmit its e-mail traffic.




"It's no surprise that we have seen yet another variant of the Sober worm, as this worm propagates via port 25 SMTP traffic," said Scott Chasin, chief technology officer at MX Logic, in a statement. "As long as this port remains open, we'll continue to see mass-mailing worms such as this latest Sober."

Chasin called for Internet service providers (ISPs) to block port 25 to prevent outbound malicious mail such as Sober.

One security firm, the U.K.-based Sophos, has tagged the new Sober with its highest-possible threat label, while others, including Symantec and McAfee, have dubbed it a "medium" threat.

Symantec issued an additional warning to customers of its DeepSight Threat Management System to warn them of a large spike in incoming malicious attachments due to the widespread Sober. The alert also recommended that enterprise administrators take action.

"Ensure that all virus scanners are running with fully updated definitions," the alert advised. "Filtering out ZIP-compressed archives at the network perimeter might also be advisable, although it should be noted that delivery of legitimate content will, most likely, be adversely affected by this measure."

Sober's payload arrives in an attached .zip file.

As for the rationale behind the biggest attack of the year, analysts are in agreement: it's an attempt by criminals to acquire compromised computers that can be "rented" out to spammers or other hackers.

"I'd be surprised if [the attackers] weren't using the infected systems to add to their bot networks," said Alfred Huger, senior director of engineering for Symantec's security response team. "What they use those bots for, unfortunately, is anyone's guess."