The spread of the mass-mailing worm Sobig peaked earlier this week, but its appearance marked the third time this...
year a worm has made headway on the Internet.
"If you would have asked me in December, I would have said January would be as quiet as in past years," said Alex Shipp, senior antivirus technologist with MessageLabs, a Gloucester, England-based managed service e-mail content filtering outsourcer. "Needless to say, I would have been very wrong."
Sobig is one of a few pieces of malicious code that have caused businesses some headaches since the beginning of the year. Others include variants of the Yaha worm, which struck late last year and successfully spread on the Internet well past Jan. 1, and the Lirva worm, which pays homage to singer Avril Lavigne.
Sobig, Yaha and Lirva came on strong but soon died down because they didn't infect large enterprises, said Vincent Gullotto, vice president of McAfee AVERT. Enterprises are stripping file types such as .pifs and executables at the gateway so that infected attachments never reach recipients. Companies are also addressing the use of free e-mail accounts such as Hotmail from work systems. Accessing these accounts can circumvent the antivirus protections a company has in place.
Often, viruses continue at lower levels because of under-protected home users. Worms like Klez, SirCam and Magistr are still making headway, despite having been out for years in some cases, Gullotto said.
No one can say why this year has started with a bang. Perhaps worm writers thought end users were lulled into a false sense of security because of the relatively quiet autumn for viruses. "Last year was relatively quiet for viruses," said Chris Wraight, technology consultant at antivirus vendor Sophos. "Users' guards have dropped a bit."
The writers could have just been lucky. Also, worm writers, as odd as it sounds, may have taken a vacation at the end of the year. "There is the possibility that college students are writing a lot of the viruses. They take time off [from worm writing] in late November and December" when they are out of school, Gullotto said.
One trick that worm writers have used this year is sending out different variants of a worm in a short period of time. For example, a second variant of Lirva appeared a day or two after it was found. With Yaha, at least three or four variants appeared in succession. Most of them were packed slightly differently, not in a materially different way. By using different packers, the authors hope their creations will be able to slip by antivirus scanners.
Additionally, virus writers release variants as a way to test their creations. "They read the write-ups of the worm at the antivirus companies and go in to make changes when it doesn't do what they want it to do," Shipp said.
It seems Sobig peaked on Monday when MessageLabs intercepted more than 16,000 copies. But by Wednesday it only caught 4,000 copies. On Wednesday, McAfee downgraded its threat assessment on Sobig from medium to low because of its declining numbers.
Sobig's success is due in part to a built-in SMTP engine that enables it to mass mail itself to other potential victims using Windows. It also attempts to spread via local network shares. Once a user runs the attached file and infects a system or a network, it searches for e-mail addresses in text files and files with extensions like .dbx, .htm, .eml, .wab and .html. It then mails itself out to those recipients.
The messages arrived with the following format:
With one of the following subject lines:
- Re: Movies
- Re: Sample
- Re: Document
- Re: Here is that sample
One weakness of the worm is that it only uses a few filenames. In other words, a company could set systems to strip the specific file names. The worm arrives named:
Sobig's Achilles' heel is the file format it uses to travel. It's saved as a program information file (.pif) file, which is normally used by Windows to store information about start-up properties for DOS applications. Increasingly, companies realize they don't have legitimate reasons to allow such files through their e-mail gateways, so those file types are blocked. Blocking file types is one reason for a growing gap between infection rates with home users and large companies, experts said.
FOR MORE INFORMATION:
- FEEDBACK: Why do you believe there's been an uptick in worm outbreaks in 2003?
Let news writer Ed Hurley know.