News

Sobig.F is Fastest Spreading Virus Yet, August Becoming Epic Month for Worms

• By Scott Bekker
• 08/20/2003

Meanwhile, security vendors were noting the epic nature of August thus far. The combination of Sobig.F, Blast/Lovsan, Welchia/Nachi and other worms hitting the Internet in rapid succession drew many comparisons to the summer of 2001, when Code Red, Nimda and Sircam ruled.

"[Sobig.F] is the number one virus of all time in terms of mass-mailing e-mail-borne viruses," Steven Sundermeier, vice president of the anti-virus company Central Command, said of the worm's first 24 hours. Only Klez has infected more machines, according to Kaspersky Labs, and that virus has had since October 2001 to do its work.

"Yesterday marked an unprecedented new level in virus propagation and demonstrated the growing ability of virus writers to disrupt business around the globe," Mark Sunner, chief technology officer at Message Labs said in a statement.

Anti-virus vendors were in disagreement about the severity of Sobig.F, which can leave a trojan on an infected machine that could allow an attacker to take any action with the machine -- from stealing personal financial information to using the system as a future proxy for future malware.

While the vendors agreed that e-mail traffic generated by Sobig.F was extremely high, the worm's use of a traditional method for infection -- trying to entice users to open an e-mail attachment -- made it a fairly easy worm for administrators to protect against, and for even moderately sophisticated users to ignore.

Symantec, for example, raised its alert level on Sobig.F from 2 to 3 but deemed Welchia/Nachi a more serious level 4 on its 5-point scale. Trend Micro also assigned only a medium rating to Sobig.F. F-Secure, on the other hand, gave the worm "Level 1 alert" status, its most severe rating. McAfee hedged its bets, calling it a high risk for home users and a medium risk for corporate users.

A few observers are exploring the possibility that the vigorous spread of Sobig.F is due to an original approach for a worm -- leveraging the proxy networks used by spammers. In a note on its site, Kaspersky Labs officials wrote, "It may well be that the author has used a spammer technology to generate a mass mailing of the malware which reached users worldwide."

Central Command's Sundermeier explained how such an approach would affect initial infection rates. "Whereas another author might only distribute [his virus] to 500 or 1,000 addresses, Sobig is actually blasting out to hundreds of thousands of users. Obviously the more users it hits, the more chances that this is going to mushroom out and balloon. We see this a lot with initial trojan blasts, but they aren't self-replicating. Sobig.F is one of the first examples of a successful mass-mailing worm to do this."

Sundermeier raised the possibility that the virus writer and spammers could piggyback off each other's work in this case, with spammers beginning to use a hidden proxy network made possible by Sobig.F infections.

In any case, few doubt that the rapid success of Sobig.F will be an isolated event. Ever since the first Sobig worm came out in January, successive versions have been progressively more successful in growth, according to Message Labs. The inclusion of expiration dates in each version, including Sobig.F (Sept. 10), is seen as a guarantee that the worm's author continues to fine tune the code.

Meanwhile, Sobig is only one of several major worms that appeared this month. "Year 2001 still stays in history as the worst virus year ever, but this is starting to get just as bad. Within one week we've seen several major virus outbreaks, as well as some completely new techniques in viruses," said Mikko Hypponen, director of anti-virus research at F-Secure.

The trail of worms in August includes Blaster/Lovsan, which started spreading Aug. 11 by exploiting a vulnerability Microsoft patched in mid-July; Welchia/Nachi, a worm that exploits the same hole to remove Blaster and apply the Microsoft patch; Lovsan.D, a variant of the Blaster worm that uses the executable mspatch.exe instead of msblast.exe; Sobig.F; and Dumaru, which appeared Tuesday and tries to exploit the Sobig.F problem. The message purports to come from [email protected], and offers an executable attachment that infects machines. Microsoft never e-mails patches as attachments.