The Sobig-F worm will again try to connect to remote servers and download a mysterious program this weekend. Experts warn companies to be extra vigilant about protecting themselves, especially given the Labor Day holiday.
The worm is set to begin its download process between 3 p.m. and 6 p.m. EDT on Friday and Sunday. While the spread of Sobig-F has slowed, it is still a threat to enterprises.
Last weekend, the worm tried to connect to remote systems that would have directed it to download a mystery application -- a program that authorities know little about. Internet service providers, however, took down 18 of the 20 remote servers the worm tried to access to download the program, rendering the issue moot. The other two servers were also inaccessible over the weekend. "It stands to reason that [if] we can't access them, then the worm wouldn't be able to either," said Mikko Hypponen, manager of antivirus research for F-Secure Corp., in Helsinki, Finland.
Earlier this week, Romanian antivirus vendor BitDefender warned that the worm was also set to download a program and execute it from servers belonging to Time Warner Telecom Inc. But other antivirus experts have said BitDefender drew the wrong conclusions from its analysis of Sobig-F. "Something like this can easily happen when you analyze a virus that's encrypted," Joe Hartmann, Trend Micro's director of North American antivirus research, told Information Security magazine.
Companies can take some preventive measures to protect against the worm, such as blocking outgoing UDP port 8998, which would kill the worm's ability to connect to the servers. Companies could also disable Network Time Protocol queries going outside of the network. The worm uses NTP to determine the time, so it knows when to begin the download process.
The author of Sobig-F has more to worry about than having his download plan thwarted. The FBI is working with other law enforcement agencies to find the author. "I am confident that we will find the culprits," said FBI director Robert Mueller in a statement released yesterday.
Mueller may be confident, but people within the security community are probably less so. Granted, worm writers are occasionally caught. But the writers of Nimda, Code Red and SQL Slammer, the other worms in Sobig-F's league, were never brought to justice.
The FBI is working with an Arizona ISP, Easynews Inc., on tracing the spread of Sobig-F, according to reports. Experts think the worm was seeded through the ISP to a pornography mailing list. The U.S. was hardest hit by Sobig-F.
It's easy to see why the FBI wants to catch the people behind the two worms. Sobig-F swept past LoveBug, Klez and Kournikova to become the fastest spreading mass mailer, according to U.K.-based e-mail filtering outsourcer MessageLabs Inc. The company intercepted over 1 million copies of the worm during its first 24 hours. It accounted for 6% of e-mail messages worldwide last week.
FOR MORE INFORMATION:
,a href="http://searchsecurity.techtarget.com/news/920996/Expert-worried-Sobig-author-may-accelerate-next-variant">SearchSecurity.com news exclusive: "Expert worried Sobig author may accelerate next variant"