RealTime IT News

The ABC's of the Sobig Virus

The destructive Sobig.F mass-mailing virus has been programmed to stop working on September 10 but that's not necessarily good news for IT guys around the globe.

That's because security experts expect a more sophisticated variant of the Sobig worm to start crawling through inboxes immediately after the September 10 deadline. "Sobig.G is very likely. It has been a serial process ever since Sobig started spreading in January this year. Variants come out one at a time and they never overlap," warned Chris Belthoff, Senior Security Analyst at Sophos, Inc.

"I won't be surprised if there is a new Sobig variant that comes out soon after September 10. It certainly fits the profile of this virus," Belthoff said, urging network administrators to be on high alert for a more sophisticated worm.

Sobig was first detected in January 2003 as a mass-mailing virus that used a built-in SMTP client and local Windows network shares to spread. When that first virus expired, a new variant immediately appeared with the same characteristics. Since then, it has been a pattern of expirations and reappearances of the same virus, Belthoff explained.

He said the newer variants have all been "more sophisticated" and "more destructive" than prior versions, warning that the expected Sobig.G could cause another round of chaos within corporate networks.

Sobig.F, which got its name from the large attachments that carry the virus, carpet bombed the Internet in recent weeks. It ground network traffic to a halt in many sectors, crashing e-mail servers and causing major headaches for IT sysadmins across the country.

"There may be a gap of a few days before we see a new variant but we're pretty sure Sobig.G will appear. The important thing is to prepare properly for it to minimize the damage," Belthoff explained.

Economic damage from Sobig.F has been estimate in the range of $7 billion, according to statistics from Mi2g, a London-based research firm. Mi2g's research pegs Sobig as the "third most damaging virus ever." And, spreading alongside the Blaster and Welchia worms that attacked Windows systems, Sobig turned into a major nightmare for IT admins.

David Bloomstein, product manager of Symantec Security Response, said it was difficult to predict if or when a new Sobig variant will start spreading. "We're keeping our eyes open for anything. We do know that the virus deactivates on September 10. That means it won't mass-mail or collect e-mail addresses. But, the virus can still attempt to download updates from the list of master servers," he explained.

By retaining the ability to collect updates from master servers controlled by the unknown virus writer, Bloomstein said new instructions can be coded to launch a new wave of attacks. "We're on a high state of alert. Given where we are on the calendar, we're keeping our eyes open and watching out for anything that can happen," he said.

Sophos' Belthoff said the increased sophistication of new variants called for industry-wide preparation to blunt future attacks. "[All the previous variants] were mass-mailing worms that arrived primarily as e-mail. That's one place to start blocking them," he urged.

Belthoff recommends that enterprise sysadmins block all attachments with executable files at the gateway. "If you're not blocking it at the gateway, then you are letting it reach the desktops and you're putting the onus on employees not to open those attachments." he explained.

"Why companies aren't catching it at the gateway, I don't know. It should be standard business practice in this day and age to block executable attachments at the gateway. If executables are necessary for business, it is easy to set rules and permissions to let them through for certain staff," he explained.

If companies block them at the gateway, mass-mailing would have had its day as a viable transmission method for viruses, he argued.

More importantly, Belthoff and Bloomstein both advocated increased end-user awareness about the dangers of successful virus attacks. "The weakest point of security in an enterprise is the home user and the casual employee using the network. A company that has telecommuters at home without updated virus protection is at major risk," Belthoff said.

He said large enterprises should consider remote updates for all users. "Just doing those two things - blocking attachments at the gateway and remotely updating virus protection for home users - would stop the next Sobig from spreading so rapidly," Belthoff added.

Symantec's Bloomstein agreed. "First thing, keep your virus definitions updated. Then, remind your internal users of best practices. No one should be clicking on stray attachments that they aren't expecting."

"If an admin is concerned about timing and feels there's a threat, then they could go the extra mile and block executables at the gateway. It doesn't hurt to be extra cautious," Bloomstein added.

"These should be standard business practices. We shouldn't be singling out September 11 or any particular date when it comes to network security. Everyone should be worried about the next Sobig, regardless of the date."