A predicted massive Internet attack by Trojan code in Sobig-F failed to materialize Friday, and antivirus experts are now saying the virus' activity should begin tapering off.
Sobig-F was scheduled to download an unknown application every Friday and Sunday from Aug. 22 through Sept. 10, between 3 p.m. and 6 p.m. EDT. Virus-infected machines attempted to contact one of 20 remote servers, authenticate and then receive a URL to download and run an application. Santa Clara, Calif.-based Network Associates, Inc. says that those servers didn't respond.
NAI says 15 of the remote servers were disabled by their ISPs; five are unavailable for unknown reasons. "This prevented Sobig-F from spreading as anticipated," says Craig Schmugar, a virus research engineer at NAI. "We expect the same results going forward."
Symantec believes the virus has the ability to update the master list of servers during the payload launch time.
Infected machines are programmed to check for a new list of servers to contact, but Kevin Haley, group product manager at Symantec Security Response says, "If the servers aren't up, it can't happen. I would expect none of the servers will be available Sunday -- we expect that the threat has really passed."
Sobig-F is programmed to stop spreading Sept. 10; the next variant is expected on or near Sept. 11. "Sobig's creator has developed a predictable pattern of releasing new variants soon after the current version deactivates itself,"
Some antivirus experts were speculating that the Sobig-F writer would use infected machines -- also known as zombies -- to launch a distributed denial-of-service attack.
"The code downloaded by Sobig-F could do anything that is possible through a program," says Graham Cluley, senior antivirus technologist at Sophos. "So, it could range from wiping out files, to stealing information or displaying a jpeg of Bill Gates without any trousers on."
FOR MORE INFORMATION: