Latest Sober threatens e-mail gateways

Worm is generating a flood of e-mail traffic, which could hit corporate systems like a mini denial-of-service attack.

Munir Kotadia Special to CNET News
3 min read
The latest Sober worm, first spotted over the weekend, has generated the vast majority of virus-laden e-mail traffic in the past 24 hours and could cause problems for corporate e-mail gateways, security companies said.

This variant of Sober generates e-mails that purport to be from the CIA or FBI. These messages tell the recipient they have been looking at illegal Web sites and should answer some questions in the e-mail's attachment. If the attachment is opened, the computer is infected, and the virus sends copies of itself to any e-mail addresses found on the hard drive.

Allan Bell, the marketing director at McAfee Australia, said that over the past 24 hours more than 90 percent of all virus laden e-mails monitored by its partner Postini contained a copy of Sober.

"(Sober) was generating around 15 million out of 16.8 million (virus-infected e-mails), so about 90 percent of the traffic is this particular virus," Bell said.

Bell called the virus "prolific," saying it is capable of generating large volumes of traffic. That flood could slow or even overload many e-mail gateways, in a way that resembles a denial-of-service attack, which attempts to overwhelm a targeted system with excess data requests.

"When they generate a lot of traffic, they themselves become a bit of a denial-of-service (attack), because your mail gateway needs to process, identify and then block (them). Just processing that stuff can slow everything down and stop good e-mails," Bell said.

British antivirus software maker Sophos said the virus is slightly less widespread than McAfee claims, but admits its effect has been significant. According to Sophos's data, Sober now accounts for more than 65 percent of all virus traffic. That figure has climbed from 35 percent when the company first issued its alert, and makes the Sober by far the most prevalent virus.

Graham Cluley, the senior technology consultant at Sophos said that the virus's clever social engineering had helped it become so widespread: "Every law-abiding citizen wants to help the police with their enquiries, and some will panic that they might be being falsely accused of visiting illegal Web sites and want click on the unsolicited e-mail attachment".

McAfee this morning raised the threat level of Sober to "medium," based on the amount of e-mail traffic it has generated. Other security companies have also raised the alert for the new Sober worm variant.

F-Secure has rated it a Radar Level 1 Alert, which is the highest alert on its three-step rating system. The Finland-based company said on its Web site that "several millions of infected e-mails have been seen by Internet operators over the last hours."

Symantec rates it a "level 3" threat, with level 5 being the most severe. In a statement Wednesday, the company said it has detected more than 1,600 potential threats from among its corporate customers, and over 300 from consumers, since Nov. 19.

Trend Micro, similarly, has issued a "medium" alert.

While the worm variant is named differently by the security vendors, the Common Malware Enumeration system, launched last month, labels the new threat CME-681.

Munir Kotadia or ZDNet Australia reported from Sydney. Vivian Yeo of ZDNet Asia contributed to this report.