Sobig.F Targets Jupitermedia

The mass-mailing Sobig.F worm, which is hammering corporate networks, has falsely implicated Jupitermedia Corp. by forging e-mail headers listing admin@internet.com as the sender.

“Jupitermedia Corp., publisher of the internet.com Network, is not
the sender or source of this worm, but rather is a victim like many other
companies. Jupitermedia has contacted law enforcement and is working closely
with them and others in the private sector to try to put a stop to this,”
the Darien, Conn.-based company said in a press statement. Other company e-mail addresses are also being spoofed by the worm.

“Anyone with information regarding the source of this worm can contact
security@jupitermedia.com or the U.S. Secret Service Electronic Crimes Task Force at (718) 840-1220, the
company said. Jupitermedia is parent company of internetnews.com.

The email spoofing was highlighted by Symantec on a page of its Web site detailing Sobig-F. However, anti-virus company has since updated its Sobig.F advisory to confirm that Jupitermedia is NOT the sender.

“The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company,” Symantec said in its revised advisory.

F-Secure also
updated its alerts to confirm that the sender information on the e-mails “is
wrong and doesn’t indicate the real infected user.”

Because anti-virus definitions and e-mail filters have been updated to
block activity from the admin@internet.com address, Jupitermedia’s IT
administrators have been working overtime to deal with million of bounces on
Monday and Tuesday when Sobig.F started wreaking havoc.

Jupitermedia CTO Mark Berns told internetnews.com the company had
already handled more that 3 million bounced e-mails in the past two days.
On a normal day, bounced emails total about 120,000 but Berns said returned
mail to the spoofed admin@internet.com address has been a nightmare
to deal with.

“So far today, we’ve received about one and a half million bounced mails.
The anti-virus definitions have been updated to block mails from that
address, which is theoretically what they’re supposed to do. So, we are
being bombarded with the bounces. It is saturating our network and hogging
bandwidth,” Berns explained.

“It has been all hands on deck here. My team has been working around the
clock just to keep our e-mail flowing. This week has been a challenge like
none we’ve seen. It’s the worst we’ve dealt with all the worms,” he said,
referring to the Blaster
and Welchia
viruses that slowed enterprise networks to a crawl for most of the past
week.

And, with fears that several new Sobig variants will appear in the
future, Berns is resigned to dealing with more headaches in the coming
weeks. “Who knows what Sobig.G or Sobig.H will do?”

Sobig-F, which builds on the impact of its previous Sobig worms, turn
infected machines into hidden proxy servers. The latest variant is
programmed to stop spreading on September 10 but a new variant is expected
to hit soon after.

According to F-Secure, Sobig.F comes with a large attachment (around
70KB) and has its own SMTP engine, apart from routines to query directly DNS
servers and make requests using the Network Time Protocol. The worm also
has updating capabilities and will attempt to download updated versions when
certain conditions are met.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web