The spread of Sobig-E has abated. Now it's time for enterprises to contemplate the worm's mission and to internalize lessons learned from it.
When the worm struck Wednesday, companies were caught off guard because Sobig-E arrived as a Zip file attached to an e-mail. Many organizations strip executable files and VB script files from e-mail messages at the gateway. Worm writers commonly use those file types for their creations. However, Zip files generally are not blocked because they have many legitimate business uses.
After infecting a system, Sobig-E searches for e-mail addresses in a host of files, including cached Web pages, text documents and in Windows address books. The worm then uses the harvested addresses to mass mail itself using its internal SMTP (Simple Mail Transfer Protocol) engine.
Sobig-E is so good at harvesting e-mail addresses that this could cloud just how severe a problem it really was. While U.K.-based e-mail filtering outsourcer MessageLabs was listing Sobig-E as its most widespread worm on Thursday, it wasn't even in Trend Micro Inc.'s list of the 10 most prevalent viruses and worms. "It's behind Yaha, FunLove, Bugbear and Nimda," said David Perry, Trend Micro's global director of education.
The reason for the disparity is that MessageLabs tracks the number of copies it intercepts. For example, it may catch 20,000 copies of Sobig-E. Since the worm is so good at finding e-mail addresses, those e-mails could have originated from a relatively small number of machines.
On the other hand, antivirus software vendors like Trend Micro usually rely on customer support calls, searches on their Web sites and other indicators to ascertain the severity of a worm.
Sobig-E's secret mission?
It has emerged that Sobig-E drops a Trojan-like program into infected systems, which could pave the way for infected machines to be used as open relays for spamming. The program could potentially be accessed remotely to execute primitive tasks such as forwarding e-mails, said Mark Sunner, chief technology officer of MessageLabs.
Additionally, the worm's SMTP engine is multithreaded, an upgrade to previous versions of the worm. This would allow Sobig-E to send mail better, which lends further credence to the spam hypothesis, Sunner said.
Spammers use open relays to cloak where their e-mails are coming from, Sunner said. This is particularly important because some companies use dynamic black lists that block e-mail from particular domains. "Open relays literally give them millions of addresses to ply through," he said.
A user of a system being used as an open relay would see performance degradation but not much else awry. Having personal firewalls in place would clue users in to this because they would see an unusually large amount of mail being sent, Sunner said.
Network file shares: The forgotten vector
Sobig-E, like many recent worms, can spread by copying itself to network file shares and by mailing itself. After infecting a system, Sobig-E tries to copy itself to
"\Documents and Settings\All Users\Start Menu\Programs\Startup" and "Windows\All Users\Start Menu\Programs\Startup".
Most attention has been paid to the e-mail vector, since it's definitely very pronounced. "It's a mass mailer with the emphasis on mass," Perry said, noting the large number of e-mails one infected machine could pump out.
Yet some, such as Russ Cooper, editor of NTBugtraq and surgeon general of TruSecure Corp., a Herndon, Va.-based managed security services provider, see the network file share route as the major reason Sobig gained some traction.
Network file shares can be fertile paths for worms because often all it takes is for one end user to open the e-mailed worm; then it can spread internally without any further human intervention. In other words, all it would take is a remote user on a VPN connection to get infected in order for the worm to spread within a company, Cooper said.
"Companies do need to have good internal security practices," Sunner said.
FOR MORE INFORMATION:
FEEDBACK: Do you believe Sobig-E is the work of a spammer?
Send your feedback to the SearchSecurity.com news team.