Sober Variant Set to Unleash Havoc Today

As the security world awaits yet another Sober variant scheduled to attack today, Sophos revealed the top 10 viruses and hoaxes hindering businesses around the world during December 2005. Sober-Z is atop that list.

Sober-Z took the world by storm in December, accounting for a massive 78.9 percent of all malware reported to Sophos. Its domination of the charts is making other current threats pale in comparison, and it is showing no sign of slowing down.

The highly prolific Sober-Z worm sends itself as an e-mail attachment and attempts to turn off security software on the user’s computer. The author of this worm has been operating anonymously for more than two years, and this latest threat is the cyber criminal’s most widespread virus yet, according to Sophos.

Unstoppable Sober?

A key differentiator of the Sober worms is their ability to dupe users, said Carole Theribault, senior security consultant at Sophos. From promising World Cup football tickets to posing as the FBI or a long-lost pal, it seems the Sober family will stop at nothing to ensure that recipients launch the viral e-mail attachment.

“The Sober-Z worm stormed to the top of the November 2005 chart and continued to hold the number one spot throughout December,” Theribault said. “Should the author go ahead and upload malware onto Web sites for infected machines to grab and run, as anticipated, the worm may disrupt businesses even further.”

The rest of the chart has remained fairly static during December. Zafi-B is the only climber, creeping up from seventh to second position. However, Sober-Z’s dominance has ensured that this worm accounts for just 3.3 percent of malware reported to Sophos in the last month of 2005.

Other Threats

Elsewhere on the chart, Netsky-P is still hanging on but has dropped to third position, and several Mytob variants continue to plague businesses and users, including two new entries, Mytob-FO and Mytob-FM.

There are two re-entries fooling users this month, Theribault noted. The Elf Bowling hoax, which has made a festive reappearance, warns users that the game is infected with a virus and should be deleted immediately upon receipt.

“This hoax is essentially harmless but serves as a reminder to companies that they should explain to employees the danger of distributing executable files. The game, while not a malicious threat, can divert employees from doing real work,” Theribault said.

Fighting Sober

Although Sober has been widespread, most of the world may not have noticed this worm, because it is focused on German-speaking users, Ken Dunham, a senior engineer with Reston, Va.-based VeriSign iDefense, told TechNewsWorld.

“Sober is one of the most successful non-English language e-mail worms to date,” he noted. “On November 22, there was a large-scale seeding of the Sober variant. Several million copies have been seeded in the wild. But seeded is different than infected.”

A Sober variant scheduled for release today, on the 87th anniversary of the founding of what would later become the Nazi Party, remains the biggest concern.

Sober cannot do its damage without human interaction, though, Dunham points out. In other words, a user has to double-click on a file and install it before a computer can be infected.

Is There an Upside?

Could there possibly be an upside to Sober? The Sober-Z variant can disguise itself as a message from investigators at the FBI, CIA or Germany’s Federal Crime Office (BKA), Theribault observed. Perhaps ironically, Sober-Z actually led to the arrest of a child porn offender this month.

A 20-year-old German man was fooled by a Sober-infected e-mail that informed him he was being investigated by the BKA for visiting illegal Web sites and subsequently turned himself in to the police.

“Rarely does a virus actually benefit society, but few people would discourage the German police from investigating this guy,” continued Theribault. “However, it is an inadvertent victory for justice — the Sober virus writer has been causing havoc for computer users around the world for several years.

The Good News

The good news, Theribault said, is that this persistent worm is easy to combat if home users and businesses have effective up-to-date anti-virus and anti-spam protection in place, and if they follow safe computing practices.

In order to minimize exposure to viruses, Sophos recommends that companies deploy a policy at their e-mail gateway to block unwanted executable attachments from being sent into their organization from the outside world. Companies should also employ up-to-date anti-virus software and firewalls, andinstall the latest security patches.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels