Profile of the Superworm: SoBig.E Exposed
Aug 13, 2003 4:00 AM PT
The SoBig.E worm, released two months ago on the Internet, continues to spread from unprotected computers. Some Internet security analysts fear that this latest variant of the SoBig family -- much like possible future variants of the new Microsoft Blaster or LovSan worm that began to proliferate early this week -- will cause long-term threats to Internet security.
Unlike the rather simple Blaster worm that takes advantage of a vulnerability in Microsoft's operating system, the SoBig.E worm's unique design includes a maintenance channel for future updates and a back door that can provide hackers with access to infected machines. The worm spreads via e-mail and shared files over networks.
SoBig.E itself does little harm to infected computer systems. Its biggest threat is the security hole it creates in infected PCs and networks. It also has the ability to open ports so that spammers can use infected systems as mail relays.
"SoBig.E is the first worm to use hacking technology wrapped around a spam delivery engine," William Hancock, vice president and chief security officer for Cable & Wireless, told TechNewsWorld.
Some analysts do not think the effects of the SoBig.E worm will fade anytime soon. Although the source code has timed out -- meaning the most recent iteration of the worm is no longer proliferating on its own -- many hackers now have access to compromised systems in almost every corner of the Internet.
Jerry Brady, CTO of Guardent, told TechNewsWorld that hackers have been much more active in exchanging information about the SoBig.E source code than they have with other variants. Great potential for harm lies in the worm's built-in software maintenance channel, which hackers can easily use to reverse engineer the code and release the worm again.
Brady said the multiple infection vectors in SoBig.E give this worm a much more virulent means of spreading than previous generations of SoBig. Its primary point of attack is file sharing, which gives it the ability to propagate quickly on corporate networks. Its secondary attack vector is e-mail systems.
The worm's ability to cull local files on infected PCs adds to its spreadability. And if you add to all of these capabilities the fact that many users are not well educated about safe computer practices, it seems likely that the SoBig.E worm will be dangerous for many years to come.
Many PC users on networked computers are more vulnerable because they leave certain channels exposed. Once a network system is infected with SoBig.E, the worm searches for connected machines to copy itself to startup folders.
"This [stage of the infection process] will fail unless users are sharing their Windows directories with write access turned on," Mikko Hermanni Hyppönen, director of anti-virus research for Finland-based F-Secure, told TechNewsWorld. "[Granting write access] is something that should never be done."
Knowing the sender of a message is no safeguard against infection. "SoBig.E is capable of spoofing familiar addresses," Dee Liebenstein, a product manager with Symantec Security Response, told TechNewsWorld. "People have to think before opening an attached file, whether they know the sender or not -- and they need updated virus definitions."
Analysts agree that a good portion of the threat from the SoBig.E Worm could have been mitigated by rigorous maintenance of virus scanner definitions and carefully applied settings on firewall software.
SoBig.E constructs outgoing messages using its own mail engine -- based on the Simple Mail Transfer Protocol (SMTP) -- and sends the infecting code in an attached ZIP archive. Compressing the infection into a ZIP file gives the worm the ability to sidestep extension- or executable-blocking rules in recipients' e-mail programs. The worm cannot infect a computer unless the user actually decompresses the ZIP file and runs the malicious program.
Once the user activates the code, the worm finds new victims in the infected machine's address book and uses its own SMTP engine to send those new addresses the same attached ZIP file. The worm searches through files in the infected machine, looking specifically for files that contain e-mail addresses.
You can spot a potentially infected file by noting two mail message characteristics. The body of the message will contain the following sentence: "Please see the attached zip file for details." The attachment line will read "Your_details.zip." The file inside the ZIP archive is called "details.pif."
Users also should be wary of attached files with a ".ZI" extension. The worm can create an outgoing message with the closing quotation mark missing. Some e-mail programs drop the final letter of the extension as a result.
Once activated by opening the infected file, the worm copies itself to the file "winssk32.exe" and creates two Windows Registry values so that the infected application will run when Windows restarts. Additionally, the worm can create a file called "MSRRF.DAT," which some analysts have said is one of the ways the malware allows its creators to upgrade and maintain activity in infected systems.
Effects of the Worm
Hancock said the backdoor that SoBig.E creates is the primary purpose of the worm. When the worm rampantly spreads, the traffic it generates can slow down networks -- much like the Microsoft Blaster worm -- but the SoBig.E worm gives remote attackers the ability to download and run files on an infected system.
Ultimately, the ability to hijack systems to create spam and other Internet mayhem will continue to have a major impact on the communications industry, Hancock said. In a normal day, his company e-mail volume is between 100,000 and 200,000 messages. Because of SoBig.E, he estimates that over the next three months, volume will spike to 1 million messages per day.
Generally speaking, spam normally represents 30 to 60 percent of daily e-mail volume on the Internet. "The new capabilities in SoBig.E will increase that volume by a factor of ten," said Hancock.
Perhaps the most likely way this could happen is through uneducated PC users who do not know that their computers have been hijacked by the worm's code. These users unwittingly allow their computers to be used as a conduit for file exchanging and spam relaying. Such abuses can just as easily crash a single user's computer as they can an entire corporate network, concluded Hancock.
No End in Sight
The SoBig.E worm might well be the ticket to the promised land for both hackers and spammers -- and both groups stand to profit from it. "Revenue is driving the use of this worm," Hancock said. "As long as there is a source of revenue for spam, this sort of activity will continue."
Hancock said there is no easy solution to the kind of attacks posed by the SoBig.E worm as long as existing Internet protocols remain unchanged. The Internet is using protocols designed in the 1970s, he said, warning that today's millions of Internet users are relying on a system that has no built-in protocol for security measures.
The entire SoBig worm family is linked by a unique trait. The original worm writer created an expiration date on each variant and kept releasing new variants when the old one stopped spreading. SoBig.E -- which continues to spread despite its expiration date -- seems to have broken that trend. The anticipated SoBig.F has not yet appeared.