Sobig-F may become one of the most virulent mass-mailing worms in recent memory. But the question that begs to be asked is: Why was it so successful in spreading, given that it is far from bleeding edge and users should be savvy in the wake of recent high-publicity worms?
During the last 24 hours, systems from Philadelphia to the Philippines have been pelted with the worm. In some cases, the excess mail traffic was enough to slow e-mail servers to a crawl. U.K.-based e-mail filtering outsourcer MessageLabs Inc. has intercepted about one million copies of the worm since it broke Tuesday.
"We think this is going to be the same size as Lovebug," said Alex Shipp, a senior antivirus technologist with MessageLabs. At its peak, Lovebug infected one of every 28 e-mail messages. MessageLabs predicts Sobig-F will reach a similar saturation.
Not surprisingly, Sobig-F appears to be more of an issue for home users than businesses. Many companies block .pif and .scr files at the gateway. The worm spreads via e-mail by attaching itself as a file with one of those extensions. Most organizations would have no legitimate business need to allow those extensions through their gateway, experts say. For example, .pif files are old Windows system file formats and .scr files are screensavers.
McAfee's antivirus response team, McAfee AVERT, estimates infected home users outnumber infected companies three to one. The team arrived at that ratio by analyzing the addresses of e-mails containing the worm. While Sobig-F spoofs the From address on the e-mail it sends, there is enough information in the header for researchers to tell whether it was sent from a business or not.
Jimmy Kuo, a McAfee AVERT research fellow, said home users fall prey to mass-mailers because these users lack the security infrastructure and expertise that an enterprise IT administrator may have. "Home users don't have gateway filters and so forth," Kuo said.
Kuo predicted Tuesday that the worm had enough potential to be the No. 3 worm for August. "But by the end of yesterday, it had blown by all others to be No. 1 for a month. It did this in only one day," he said.
Why Sobig-F was able to spread so successfully is still debatable. Experts theorize that the worm was either seeded well, technical improvements over previous variants contributed to its success or it could have been just plain lucky.
Kuo said it appears Sobig-F was seeded to a pornography newsgroup. McAfee determined this from information gathered by a bot that surfs all newsgroups for malicious code. "On some days, we find 1,000 Trojans and worms posted," he said.
MessageLabs' Shipp has a theory that a programming flaw in the code for Sobig-F from previous variants was fixed. With other versions, the last letter of the worm's file name was sometimes dropped. For example, the file name may come attached as "your_details.pi" instead of "your_details.pif."
The mailing routine on Sobig-F also seems to be better than past variants. The worm uses its own SMTP (Simple Mail Transfer Protocol) engine to spread. It harvests e-mail addresses from a variety of files on infected machines. The worm then sends itself to those addresses.
The combined use of spoofing the From address and harvesting e-mail addresses is a technique other worms such as Klez and Bugbear have used. Such an approach allows infected systems to blast thousands of e-mails without giving away that it is infected. Recipients, meanwhile, believe the message is coming from a trusted source and are more likely to open the attachment.
It's likely Sobig-F's author wants recipients to know they are infected. Experts think the Sobig family of worms may have been created to produce a pool of open relays to route junk e-mail. The worms download a Trojan after infecting systems, which the worm writer controls. Such control could allow for more damaging uses, such as capturing sensitive information from machines.
FEEDBACK: How do you prioritize your patching processes?
Send your feedback to the SearchSecurity.com news team.