Race against Sobig reportedly successful

Twenty servers that the computer virus had scheduled to download attack software were shut down, avoiding a potential wave of new e-mail.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Aug. 22, 2003 5:14 p.m. PT

4 min read

The second stage of an attack by the Sobig.F computer virus fizzled Friday when security researchers and network operators managed to secure the 20 servers from which the virus was scheduled to download new instructions.

Security experts discovered Thursday that the tens of thousands of PCs infected this week with the Sobig.F virus were scheduled to contact 20 servers and to download additional software. The experts feared that the software could be used to spy on the computers' owners or launch another wave of spam.

The contact with the 20 servers was supposed to occur at noon PDT and last until 3 p.m. However, security experts were able to locate the servers and warn network operators of the danger. By the noon deadline, all the servers had apparently been isolated from the Internet or secured in some other way.

"Unless one of these machines that were shut down come back up, it looks like we've dodged the bullet," said Joe Stewart, senior security researcher for managed security service company LURHQ.

He warned, however, that one of the 20 compromised machines may have been taken down by the person or group that created Sobig.F to fool defenders. The Sobig family of mass-mailing computer viruses is believed to have been created by spammers or a group of online vandals that sell their services to spammers.

The aborted attack provided a brief respite from two weeks of turmoil caused by two Internet worms and the Sobig.f virus. Sobig.f, a mass-mailing computer virus that spreads to Microsoft Windows computers through e-mail, attempts to connect to the Internet between noon and 3 p.m. PDT on Fridays and Sundays until Sept. 10, when it will delete itself.

While Stewart's research indicated the 20 targeted servers were unavailable Friday afternoon, antivirus firm Symantec said it detected that a single server was directing compromised computers to a porn site. However, the adult site apparently had no software for the virus to download.

"The adult Web site would not have posed any danger," said Steve Trilling, senior director of research for the company. "The only net impact would have been a denial of service on that site."

Not Sobig, yet
	Security company Symantec said Friday that it is receiving about 1,800 submissions of the Sobig.F worm per day. While by this one measure the rate is less than that of other network pests, the company also noted that the threats often peak many days after the initial discovery.


	Pest	Submissions at peak	Days before peak


	Klez.H	4,516	14

	Bugbear.B	4,812	2

	Badtrans	3,709	7


	Source: Symantec

While no additional programs had apparently been downloaded, if the past is any indication, the worm would have received instructions to download software that could have recorded passwords, sent system information to another computer on the Internet, and download a second program that to allow spammers to anonymously send bulk e-mail through the compromised PC.

While shuttering the servers aborted the process on Friday, Stewart stressed that security researchers may never know what would have happened.

"There is an upside and a downside to this," Stewart said. "We don't have it installed on all these computers, but we also don't have samples of it."

E-mail service provider MessageLabs said that, like previous versions of the virus, Sobig.F likely would have turned infected PCs into tools for sending spam.

"The mail component is so much more efficient than previous versions, so it's highly likely that the purpose of the virus is to act as launching pad to send spam, because the efficient e-mail is such a key change," said Mark Sunner, chief technology officer for the New York-based company.

Sobig.F has spread aggressively, sending far more e-mails with copies of the virus than any such program to date. The computer virus clogged corporate e-mail systems on Tuesday and Wednesday, as every message had to be digitally checked for the virus before being passed on to the recipient's computer. MessageLabs found that about one in every 17 messages contained the virus--far more than the approximately 1-in-138 ratio produced by the previous top threat, Klez.H.

Sobig.F uses an e-mail address other than the victim's as the apparent source of e-mail messages that it sends to spread itself. Many antivirus systems send an alert that notifies the apparent sender of viral e-mail messages that they are infected, even when the malicious program is known to forge the source's e-mail address. The result: More spam to clog the Internet's arteries.

"In terms of the amount of e-mail traffic and volume of the messages, it's the most widely e-mailed virus ever, but that's not to say it's the fastest-infecting virus," said Craig Schmugar, virus research engineer for antivirus firm Network Associates. "We believe the infection rate is a lot less than the e-mail traffic would suggest."