Experts: Sixth son of Sobig not the last

Security researchers believe that the creator of the Sobig mass-mailing computer virus won't stop with number six--the money may be too good.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Security researchers believe that the creator of the Sobig mass-mailing computer virus won't stop with Sobig.F--the money may be too good.

The Sobig viruses--the first of which started spreading in January--are designed to load special software that can anonymize spam onto people's PCs. The tens of thousands of computers infected by the virus can then be used by bulk e-mailers to send unsolicited messages that can't be tracked.

"It is very well planned, very well designed and very well executed," said Mikko Hypponen, director of antivirus research for security company F-Secure. Hypponen believes that the virus' author likely sells the list of compromised PCs to spammers. "For once we have a virus with a very good motive: money."

The Sobig viruses are perhaps the first to be used as moneymakers, and that means it's likely the programmer, or group of programmers, that created the latest variant won't stop, said Joe Stewart, senior security researcher for network-protection company Lurhq.

"I do think we will see a new variant soon," Stewart said. Stewart has been studying each iteration of the Sobig virus and believes that, despite heightened law enforcement interest in finding the author, it's unlikely he or she will stop or be found. "The guy obviously knows how to use proxy servers (to achieve anonymity). To think you can track him down using an IP (Internet protocol) address down is pretty far-fetched."

The Sobig.F virus started spreading a week ago, apparently from Usenet news groups where the author had posted it in the guise of a pornographic picture, according to Easynews.com--the service that had been used to post the file. Phoenix, Ariz.-based Easynews reported that it had been served a subpoena by the FBI and had provided the bureau with an apparently stolen credit card number that had been used to purchase the account.

"It appears the account was created with a stolen credit card for the sole purpose of uploading the virus to the Usenet network," Michael Minor, chief technology officer of Easynews, said in a statement Friday.

The FBI couldn't immediately be reached for comment.

The Sobig.F virus spreads by harvesting e-mails from Web pages and from an infected computer's address book. It sends a copy of itself to the addresses in an e-mail message with subject lines such as "Your Details," "Re: Approved" and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer.

Sobig.F has spread aggressively, sending far more e-mails with copies of the virus than any such program to date. The computer virus clogged corporate e-mail systems early last week, as every message had to be digitally checked for the virus before being passed on to the recipient's computer.

The latest Sobig virus uses an e-mail address other than the victim's as the apparent source of e-mail messages that it sends to spread itself. Many antivirus systems send alerts to the apparent senders of viral e-mail messages notifying them that they are infected--even when the malicious program is known to forge the source's e-mail address. The result is more e-mail clogging in-boxes and more confusion as users have to deal with additional messages accusing them of being infected.

Joe Hartmann, North American director for antivirus research at security-software company Trend Micro, believes that the FBI has its work cut out for it when it comes to catching the perpetrator.

"The person is really trying to make sure that he isn't going to get tracked down," Hartmann said. "Open proxies, stolen credit cards--it's not going to be easy."