Network-aware worms have dominated the attention of IT administrators, mainly because of Lovsan's rapid progression last week, but mass-mailers are still a problem, as evidenced by the emergence of a new variant of the Sobig worm this morning.
U.K.-based e-mail filtering outsourcer MessageLabs Inc. has seen a rapid increase in the spread of Sobig-F this morning. The company started intercepting a few hundred copies early this morning, but the rate had rapidly increased to 14,000 copies an hour (40,000 total, or one of every 311 messages were infected) as of noon EDT.
"How many times does it take touching a hot stove to realize you are going to get burnt?" said Ian Hameroff, security strategist at Computer Associates International Inc.
Sobig-F is very similar to its predecessors. It travels attached to e-mails with the .scr or .pif file extensions. The vast majority of enterprises could block such attachments at the gateway with impunity. "I'm not sure a business could make the case that they need to be able to send screensaver files or antiquated Windows program files back and forth," Hameroff said.
Sobig-F, like previous versions, does download a Trojan after infecting systems, which could allow the worm writer to use them as open relays for sending spam, said Alex Shipp, senior antivirus technologist at MessageLabs.
Being infected with Sobig-F could cause some network performance issues as junk e-mail is routed through, but the Trojan poses other risks as well. "The systems wouldn't just be open to the worm writer. Other people could use infected machines for their purposes," Shipp said.
The newest member of the Sobig family does have at least one refinement. Previous versions contained a bug that sometimes meant the last letter on the file extensions of the attached worm was dropped. For example, the filename may come attached as "movie0045.pi" instead of "movie0045.pif." When that happens, a recipient would need to rename the file, then double-click on it for it to run.
Certain sound security practices would protect companies from getting slammed by Sobig-F. Making sure antivirus definitions are updated is a given. Also, stripping .pif and .scr files at the gateway would prevent getting infected by Sobig and many other mass-mailer worms.
Technically, however, Sobig-F is very similar to its predecessors, especially when it comes to social engineering. The worm takes a minimalist approach, using legitimate-sounding subject lines such as:
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Re: Approved
- Re: Re: My details
- Re: Details
- Your details
- Thank you!
The message text is pretty basic, with such lines as "Please see the attached file for details." The worm is attached and uses the following file names:
Sobig-F does spoof e-mail addresses, so that lends some credibility to it for people receiving the message. The worm harvests e-mails from a host of files on infected systems. It uses those addresses to then send copies of itself using its own SMTP engine.
As with previous Sobig variants, the newest threat is short lived. It's set to stop working Sept. 10. "I'm not sure why the writer does that. Perhaps he feels his creations have a certain shelf life," Shipp said.
The last variant, Sobig-E, stopped working July 14. "We were waiting for the new variant then. It's taken four weeks. Perhaps the guy was having a holiday," said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp.
FOR MORE INFORMATION:
FEEDBACK: How do you prioritize your patching processes?
Send your feedback to the SearchSecurity.com news team.