A new briefing released yesterday by Postini, the messaging security company, based in San Carlos, Calif., indicates that the recently discovered “Sober” virus is the largest viral attack on the Internet ever recorded, twice as big as any other virus on record.
“We typically quarantine about 50 million virus-infected e-mails in a month. This Sober virus generated close to a 1,500 percent increase in virus-infected e-mail traffic in the past week,” Scott Petry, founder and vice president of products and engineering at Postini, told TechNewsWorld.
Zip File Problems
This latest Sober worm typically arrives as a “.zip file” e-mail attachment in either German or English, or in a message that appears to be from either the Federal Bureau of Investigation or the Central Intelligence Agency, or even the Internal Revenue Service.
Postini said the Sober worm “hijacks” Windows-based computers, and forces them to send out continuous spam e-mails that overwhelm servers and reduce network performance. As with previous Sober variants, this worm can also disable antivirus programs.
Though computer users are often urged to use caution when opening attachments, many users opened the infected messages, due to the belief that it was from the government, enabling the Sober worm to spread rapidly, Postini said.
“Despite the virulence of the outbreak, our customers have not been affected by the Sober virus, and they experienced no message delivery latency issues or any degradation of service,” said Petry. “We’re blocking or quarantining all security threats before they reach our customers’ networks.”
As of yesterday afternoon, Postini said that during the previous 24 hours it had prevented more than 29 million copies of the Sober virus from reaching its worldwide customer base. Over the last week, Postini quarantined more than 218 million Sober-infected messages, making this outbreak twice as large as the largest previous attack on record, the company said.
Experts said the best defense against such a virus is multilayer anti-virus protection technology, which includes connection level threat analysis, heuristics-based content analysis and anti-virus scanning engines from vendors like McAfee and Authentium.
Although the new Sober variant spreads swiftly, security experts said that existing anti-virus software should be able to terminate most infected messages because this virus strain shares a number of characteristics with prior versions, making it easy for the virus zapping programs to identify and quarantine it.
According to anti-virus software vendor, Sophos, a number of cover letters are being used by scammers to spread the virus. Among the letters used by the worm to spread itself is one purporting to be from the FBI or CIA. Sophos said a typical letter looks like this:
We have logged your IP-address on more than 30 illegal Web sites. Important: Please answer our questions! The list of questions are attached.
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220
Washington, DC 20535
Phone: (202) 324-30000
Meanwhile, experts at SophosLabs, the global network of virus, spyware and spam analysis centers, have warned Internet users of another phishing e-mail which aims to steal from American taxpayers by posing as notification of a refund from the Internal Revenue Service. The phishers are taking advantage of a an apparent security error on a real U.S. Government Web site that allows phishers to redirect visitors to a fake Web site.
In an brazen attempt to look more legitimate, the e-mail tells users to cut-and-paste the link into their Web browser rather than click directly on it. This is what security experts have cautioned users to do for years — thus this attack can be quite insidious.
Though the link does use the real domain name of the real government Web site, a mistake in the way the Web site has been set up bounces surfers to a fake lookalike site run by the phishers.
“This phisher tells you that the IRS owes you several hundred dollars, and offers you a Web link from which you can allegedly claim your tax refund,” said Graham Cluley, senior technology consultant at Sophos. “The link in the e-mail simply bounces you off a U.S. Government Web site onto a site owned by the criminals, who are ready and waiting to steal your credit card details, Social Security number and other personal information.”