One in every 74 e-mail messages on the Internet yesterday carried a new strain of the Sober virus, estimates one security analyst.
“At the moment, this virus is accounting for 65 percent of all virus reports to us,” Graham Cluley, a senior technology consultant for anti-virus software maker Sophos told TechNewsWorld. “That means, including legitimate mail, spam and everything else, one in 74 messages presently contain the Sober worm.”
Although the new Sober variant spread quickly, security experts said that existing anti-virus programs should be able to scrub most infected messages because this virus strain shares characteristics with prior versions, characteristics that make it easy for the virus fighting programs to identify the malware and quarantine it.
“Most anti-virus vendors already protect their customers against this,” Alfred Huger, senior director of engineering at Symantec Security Response in Santa Monica, Calif., told TechNewsWorld.
Cocktail of Techniques
One reason the worm spread so rapidly was it cloned a number of tried and true malware methods, according to Sam Curry, vice president for product management at Etrust Security Managment in Islandia, N.Y.
“I find it ironic that the same worm can spoof the FBI and CIA on the one hand and use the old ‘do you want to see pictures of …’ trick on the other,” he told TechNewsWorld.
Among the several cover letters used by the worm to spread itself is one purporting to be from the FBI or CIA. According to Sophos, the FBI letter said:
- Dear Sir/Madam,
We have logged your IP-address on more than 30 illegal Web sites. Important: Please answer our questions! The list of questions are attached.
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220
Washington, DC 20535
Phone: (202) 324-30000[cq]
Dual Language Propulsion
Another factor contributing to the spread of the virus was its ability to produce mischief in two languages, English and German, noted Huger.
“That opens up the general number of people who could read it, have access to it and might click on it,” he said.
Curry explained that when the worm infects a machine, it starts accessing multiple outbound e-mail servers and runs three processes simultaneously.
It will pull a target off the hard disk of an infected computer, he continued, and send them multiple e-mails with different subject lines, attachment names and mailing routes.
“This variant, which comes on the heels of six others last week, is a lot more sophisticated — not in terms of the techniques it uses — but in the ways it mixes and matches them,” Curry said.
In recent times, malware authors have narrowed the scope of the efforts, choosing stealth over noisy pandemics like yesterday’s Sober outbreak. “This is an old-fashioned ploy to get attention,” Curry observed. “The damage that it does is not that bad.
“But what worries me,” he interjected, “we very often see an idea, or set or ideas, tried out in an innocuous format and if they succeed, we see them used for something not so innocuous.”
While the origin of this latest Sober strain remains a mystery, some security experts believe law enforcement authorities are narrowing the noose around the perpetrators.
Jimmy Kuo, a senior fellow at McAfee AVERT in Beaverton, Ore. noted that prior to the rash of Sober outbreaks last week, police in Bavaria, Germany, predicted the development, presumably because they had cracked the ring of malcontents writing the viruses.
“This is probably a ‘group of friends’ scenario,” he told TechNewsWorld. “The police will pick off one. Hopefully, he’ll roll on the others, and we can pick off some more.”
Cluley, of Sophos, added, “The police may not know who this virus writer is, but they’re close on the trail. And the fact that he’s goading the FBI and CIA means that there will be even greater resolve to capture this person.