The spread of the latest SoBig computer worm variant, called SoBig.F, now is being called the fastest outbreak ever. The worm marks the continuation of a recent onslaught of attacks that included previous worms Nachi and Blaster.
Security experts said SoBig.F has spread rapidly across North America, Europe and Asia because users were duped by its ability to spoof the sender, which makes the worm appear to come from a known source.
The SoBig variant marks a trend of junk e-mail or spamming tools used in concert with computer worms. The mass-mailing worm, which can slow networks and leave computers vulnerable to other attacks, arrived on the heels of several other outbreaks, adding to what has been several weeks of worms running rampant across the Internet.
“North America has been hit extremely hard,” ISS X-Force engineering manager Dan Ingevaldson told TechNewsWorld. “We’re also getting reports that Europe and Asia are getting hammered. It’s very much widespread, and it’s piling on from Nachi and Blaster.”
SoBig So Fast
MessageLabs reported it stopped more than one million copies of the SoBig.F worm in the first day of its spread, making the variant the fastest-growing virus ever, surpassing the infamous LoveBug, Klez and Kournikova viruses.
“Yesterday marked an unprecedented new level in virus propagation and demonstrated the growing ability of virus writers to disrupt business around the globe,” said MessageLabs chief technology officer Mark Sunner.
Ingevaldson, referring to the MessageLabs findings as “off the charts,” said ISS has experienced a 10- to 100-fold increase in the number of copies of the SoBig variant coming into its monitoring e-mail accounts.
Ingevaldson also said that, much like the Nachi worm that sends 300 e-mails to propagate itself once it has infected a machine, the SoBig.F worm has a multithreaded e-mailing engine that allows it to send out more than one e-mail at a time.
Antivirus vendor McAfee, which described SoBig.F as high risk, said in a security advisory that the worm might slow Internet and network traffic and also includes the danger of a back-door trojan — a malicious program that cedes control of a computer to remote, unauthorized users.
“Because it sends so many e-mails, a worm like Sobig also saps bandwidth and slows network performance,” the advisory said. “Worse, it can also open up a user’s computer port, making it vulnerable to hackers who can plant dangerous trojans.”
The reason SoBig.F has spread so successfully is that it spoofs the “from” field of the e-mail, using a harvested e-mail address from the infected computer to make users believe the infected file is being sent from an acquaintance.
“That’s really important,” Ingevaldson said. “People are finally understanding that e-mails can come from anyone — a friend, partner or family — and have viral attachments. That’s really always a problem.”
McAfee reports subject lines of the e-mail worm include: “Your details, Thank you!”; “Re: Details”; “Re: Approved”; and “Re: Your application,” among others. McAfee said the e-mail’s attachment — the actual carrier of the virus — often will contain the same words as the subject. The file itself will have a .pif or .scr extension.
Spam Meets Worm
MessageLabs chief information analyst Paul Wood told TechNewsWorld that recent worms such as SoBig and MiMail are part of a trend in which virus writers use spamming software to propagate worms.
“Potentially, we could see more and more of that happening, where virus, trojan and spam are all coming together,” Wood said.
Ingevaldson said that although the spamming and virus-writing communities have not yet come together, spammers see a powerful tool in the form of viruses and soon might take advantage by modifying code and adding functionalities.
The SoBig.F variant comes on the heels of Nachi, Blaster (also known as LovSan) and a Blaster follow-up “good worm” that attempted to install a fix for Blaster.
According to analysts, the series of outbreaks, which can be traced back to a Microsoft Windows vulnerability announced in July, are having a unified effect. “Each one is amplifying the effects of the previous ones,” said Ingevaldson.