RealTime IT News

Sobig.F Targets Jupitermedia

The mass-mailing Sobig.F worm, which is hammering corporate networks, has falsely implicated Jupitermedia Corp. by forging e-mail headers listing admin@internet.com as the sender.

"Jupitermedia Corp., publisher of the internet.com Network, is not the sender or source of this worm, but rather is a victim like many other companies. Jupitermedia has contacted law enforcement and is working closely with them and others in the private sector to try to put a stop to this," the Darien, Conn.-based company said in a press statement. Other company e-mail addresses are also being spoofed by the worm.

"Anyone with information regarding the source of this worm can contact security@jupitermedia.com or the U.S. Secret Service Electronic Crimes Task Force at (718) 840-1220, the company said. Jupitermedia is parent company of internetnews.com.

The email spoofing was highlighted by Symantec on a page of its Web site detailing Sobig-F. However, anti-virus company has since updated its Sobig.F advisory to confirm that Jupitermedia is NOT the sender.

"The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company," Symantec said in its revised advisory.

F-Secure also updated its alerts to confirm that the sender information on the e-mails "is wrong and doesn't indicate the real infected user."

Because anti-virus definitions and e-mail filters have been updated to block activity from the admin@internet.com address, Jupitermedia's IT administrators have been working overtime to deal with million of bounces on Monday and Tuesday when Sobig.F started wreaking havoc.

Jupitermedia CTO Mark Berns told internetnews.com the company had already handled more that 3 million bounced e-mails in the past two days. On a normal day, bounced emails total about 120,000 but Berns said returned mail to the spoofed admin@internet.com address has been a nightmare to deal with.

"So far today, we've received about one and a half million bounced mails. The anti-virus definitions have been updated to block mails from that address, which is theoretically what they're supposed to do. So, we are being bombarded with the bounces. It is saturating our network and hogging bandwidth," Berns explained.

"It has been all hands on deck here. My team has been working around the clock just to keep our e-mail flowing. This week has been a challenge like none we've seen. It's the worst we've dealt with all the worms," he said, referring to the Blaster and Welchia viruses that slowed enterprise networks to a crawl for most of the past week.

And, with fears that several new Sobig variants will appear in the future, Berns is resigned to dealing with more headaches in the coming weeks. "Who knows what Sobig.G or Sobig.H will do?"

Sobig-F, which builds on the impact of its previous Sobig worms, turn infected machines into hidden proxy servers. The latest variant is programmed to stop spreading on September 10 but a new variant is expected to hit soon after.

According to F-Secure, Sobig.F comes with a large attachment (around 70KB) and has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol. The worm also has updating capabilities and will attempt to download updated versions when certain conditions are met.