RealTime IT News

Sobig-F Overruns Networks, Email Traffic

The latest variant of the Sobig worm is hammering corporate networks, crashing email servers, staggering Internet traffic and accounting for 70 percent of all email today, according to security analysts.

They also say Sobig-F, which was first detected Monday afternoon, is topping off what is being called the worst worm week in history.

"This is unbelievable," says Steve Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio. ''We have never seen this sort of activity before... Sobig-F is causing substantial impact on business right now. Almost three out of every four messages will be Sobig or it will be a failed delivery message generated by Sobig.''

And Sundermeier says that's not even the worst of it.

''Usually with mass-mailing viruses, you have a peak day early on,'' adds Sundermeier. ''We're not seeing any significant degradation right now. We haven't even hit the peak yet. That's the really bad news.''

Sobig-F is a mass-mailing worm that also can spread via network shares, according to Sophos, Inc., an anti-virus company based in Lynfield, Mass. When it arrives via email, the worm poses as a .pif or .scr file. The sender's address is spoofed. The subject lines used are taken from a list, including 'Re: That movie', 'Re: Wicked screensaver', 'Re: Approved' and 'Your details'.

In fact, the worm has falsely implicated Jupitermedia Corp. , the parent of this Web site, by forging e-mail headers listing admin@internet.com as the sender. Jupitermedia is working with law enforcement authorities in an attempt to stop the worm. (For more details, see this related story.)

Security experts say Sobig-F, which is just the latest in the malicious family of Sobig worms, is hitting the Internet so hard because it is building on the impact of its Sobig predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and then downloaded Trojans to set the machines up to be hidden proxy servers. ''The author has a huge army now for the next seeding,'' he says. ''Every Sobig variant becomes bigger and bigger, and we believe it's because of this army he's building of infected machines.''

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that the next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious success of Sobig-F, then the damage could be even worse.

''Sobig-F has quickly become the most widespread virus in the history of email worms and it's spreading very rapidly,'' says Ken Dunham, malicious code intelligence manager with Reston, Va.-based iDefense, Inc. ''Corporate networks are just being blasted with a ton of emails, forcing them to be very aggressive with gateway and content-based filters. As servers are busy processing all the extra email, it affects their ability to get legitimate email to people.''

Dunham notes that there have been more than 1 million interceptions of the worm in the last 24 hours. The average significant worm will get 10,000 to 50,000 interceptions in a day.

''I've never seen anything like this,'' says Dunham.

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in Lynfield, Mass., says Sobig-F is just capping off an extremely bad string of viruses.

The Blaster worm, which exploited what could be the most widespread Windows vulnerability, first hit on Monday, Aug. 11. Blaster had IT managers hopping to patch up holes when several variants of it hit in the next few days. Then Graybird-A, a backdoor Trojan, appeared disguised as a patch for the Windows vulnerability that Blaster had been exploiting. After that, Nachi-A and Dumaru-A both hit.

''This has just been the worst worm week ever,'' says Belthoff. ''Worms this past week have caused incredible slowdowns, if not complete disruption of networks... All you need is a few infections to shut down an entire mail system.''