A new danger has emerged from the epidemic spread of the mass-mailing Sobig-F worm as security experts warned today that the worm is set to download a mystery program as early as a few hours from now.
Sobig-F is scheduled to download an unknown application every Friday and Sunday starting today through Sept. 10 between 3 p.m. and 6 p.m. EDT. The worm will contact one of 20 remote servers, authenticate itself then receive in turn a URL. It then uses that URL to download an application that it will run.
At 1 p.m. EDT, experts were not sure what the application would be. Some speculate the writer could use those servers and others they have hijacked to launch a distributed denial-of-service attack. Most likely the worm writer won't reveal the URL until just before the coded time range. In the meantime, antivirus experts are trying to disable the 20 servers the worm would use to download the URL. "So far, we have been pretty successful at it," said F-Secure manager of antivirus research Mikko Hypponen.
"The developers of the virus know that we could download the program beforehand, analyze it and come up with countermeasures," Hypponen said. "So apparently their plan is to change the Web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers [will] have already downloaded and run it."
Companies can take some proactive steps today to protect against the worm's downloading. For example, blocking outgoing UDP port 8998 traffic would stop the worm's ability to connect to the servers, said Chris Belthoff, senior security analyst at Lynnfield, Mass.-based Sophos Inc. The worm uses Network Time Protocol to tell time and companies could also disable NTP queries going outside of the network, he said.
Users are encouraged to also update their antivirus pattern files and scan their systems to make sure they are not infected. If they cannot, then turning off infected machines would be an option, Hypponen said. The worm's downloading routine only operates in the three-hour windows on Fridays and Sundays. It will continue the process each week until Sept. 10 when the worm is set to turn itself off.
"I really think this is like a match in a forest fire," said Ian Hameroff, security strategist for Islandia, N.Y.-based Computer Associates International Inc. He noted that Sobig-F is still spreading, albeit at lower levels than earlier in the week.
Talk of what the mystery program is would be speculative. Past Sobig variants did some tricky things. For example, Sobig.E downloaded a program that removed itself from systems to hide itself. Another program on infected machines then tried to steal passwords.
Sobig-F surprised many observers this week. At first, it was believed to be a minor issue because it was sixth variant in a family that has gained mild traction. But improvements to its mailing engine allowed Sobig-F to spread very quickly. So much so, that it choked some networks as infected systems blasted copies of the worm.
FOR MORE INFORMATION:
FEEDBACK: How do you prioritize your patching processes?
Send your feedback to the SearchSecurity.com news team.