Sobig Worm turns PCs into Spam Factories

Darth Fanboy · Post by **Darth Fanboy** » 2003-08-21 05:34am

Sobig Worm Aims to Turn PCs Into Spam Machines
Wed August 20, 2003 09:46 PM ET
By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - Several Internet worms that have besieged computers for over a week played havoc again on Wednesday, including one called Sobig.F whose aim was to turn PCs into spam machines and was believed to be the fastest growing virus ever, experts said.

Sobig.F drops software onto infected Windows computers that open them to be used later for distributing Internet spam -- unwanted e-mails and product promotions, experts said. It also represents a new trend in converging e-mail spamming and virus software writing, they said.

"We believe (Sobig.F) has been written by a spammer or spammers" looking for ways to get past spam filters, said Mikko Hypponen, manager of anti-virus research for Finnish security firm F-Secure. "For once, we have a clear motive for a virus -- money."

Security experts said it was difficult to ascertain how many computers had been infected by the Sobig.F worm. Worms are viruses that spread through networks.

Internet service America Online, however, said it blocked about 11.5 million copies while security firm MessageLabs stopped more than 1 million copies within the first 24 hours and dubbed Sobig.F the fastest growing e-mail virus ever.

Sobig.F hit the computing world as corporations were still recovering from several worms that spread through holes in Microsoft Corp.'s Windows operating systems, including the "Blaster" worm. Also called "LovSan," it has infected and crashed hundreds of thousands of computers since last week.

The "Welchia" or "Nachi" worm, which surfaced on Monday, infected 72,000 computers used by the U.S. Navy and Marine Corps and crippled Air Canada's reservation counters and call centers.

CSX Transportation said on Wednesday that a virus infection had slowed its dispatching and signal systems, forcing it to halt passenger and freight train traffic, including the morning commuter train service in Washington, D.C.

NEW TREND, SPAM-VIRUS CONVERGENCE

Sobig.F hit home users particularly hard, experts said. It arrives in an e-mail with an attachment that when opened infects the computer and sends itself on to other victims using a random e-mail address from the address book, making it difficult to trace the worm back to its source.

The Sobig family of worms represents a new trend in the convergence of worm and spam techniques for more widespread and faster deployment, experts said.

Virus writers are utilizing software that spammers employ to send bulk spam messages. Conversely, spammers are starting to use methods incorporated by virus writers to spread their messages and avoid detection, said Brian Czarny, marketing director at e-mail security company MessageLabs.

Previous Sobig versions loaded a program onto infected PCs that broadcast spam to other computers, thus turning the PCs into so-called "spam relays."

Sobig.F downloads a Trojan onto infected computers, which could later be remotely activated to send spam, experts said.

"There are computers scanning the Internet for open relays so spammers can jump from one machine to the next and be able to send millions of spam messages and have them not be traced back to them or be blocked," said Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc.

Sobig.F, which expires on Sept. 10, is spreading quickly because it sends multiple e-mails simultaneously and spreads to other computers on a shared network, said experts, who predict there will be another version in the near future. (Additional reporting by Bernhard Warner in London and Charles Grandmont in Montreal.)

Thunderfire · Post by **Thunderfire** » 2003-08-21 05:54am

The big problem with this one is that many mail servers send a message
to the from address. Really usefull when the address is faked.

Embracer Of Darkness · Post by **Embracer Of Darkness** » 2003-08-21 11:32am

*Fires up the firewalls and checks for uptdates.*

I'm getting sick of these worms.

Darth Fanboy · Post by **Darth Fanboy** » 2003-08-22 01:29am

threa bumped, if only to give concerned computer users one last peek if they want.

Thunderfire · Post by **Thunderfire** » 2003-08-22 03:02am

Embracer Of Darkness wrote:*Fires up the firewalls and checks for uptdates.*

I'm getting sick of these worms.

This is a mail based Virus AFAIK. Getting a good Virus Scanner and Mail Filter is a
better idea.

Post by **Darth Wong** » 2003-08-22 03:14am

Thunderfire wrote:
Embracer Of Darkness wrote:*Fires up the firewalls and checks for uptdates.*

I'm getting sick of these worms.
This is a mail based Virus AFAIK. Getting a good Virus Scanner and Mail Filter is a better idea.

That doesn't work on brand-new viruses, unless you're lucky enough not to get them until after the virus scanner companies identify the new infestation (note: this does not occur until many people have ALREADY been infected) and put out updates which you have already received and installed.

Best solution is not to use Windows for E-mail. Use it for games or video editing or other things, but Internet activities should be carried out on a *nix platform if you're genuinely worried about security. And if you must use Windows, then DON'T USE OUTLOOK EXPRESS, for fuck's sake.

His Divine Shadow · Post by **His Divine Shadow** » 2003-08-22 04:11am

My company's network escaped Sobig.F atleast, the installment of a virus scanner in the mailserver has greatly helped, also is nice when we have another layer of virus scanners on every workstation, and a draconian firewall.

There was a virus warning yesterday, when I was supposed to have the day off, apparently, a part of the nimda virus(only a part so it was inactive) had gotten left after the last sweep.

We did however get messages fom other mailservers that we had supposedly sent them Sobig.F, bullshit, I went through every computer with a program that was designed to find Sobig.F and remove it, every computer was clean.
Ofcourse Sobig.F can fake from headers so it wasn't really from us it came.

Glocksman · Post by **Glocksman** » 2003-08-22 04:12am

And if you must use Windows, then DON'T USE OUTLOOK EXPRESS, for fuck's sake.

You ain't lying there, hoss.

The email program that I use is called Calypso Email.

Not only does it handle multiple accounts easily, it lets you turn off the goddamn HTML and scripting in the preview pane. It converts HTML messages to attached files that you can then look through the source code before you open them.

HTML and scripting are the reasons why OE is a virus and trojan magnet.

Best of all, it's now free

Download it from here and try it .

Crayz9000 · Post by **Crayz9000** » 2003-08-22 04:16am

Glocksman wrote:HTML and scripting are the reasons why OE is a virus and trojan magnet.

Not really. The reason that Outlook Expres is a virus and trojan magnet is because Microsoft did not correctly implement the MIME standards. Then, in a flash of genius, they left scripting enabled by default.

Mozilla Mail (now Thunderbird) also supports HTML, but scripts are turned off by default, and it implemented MIME *correctly*.

His Divine Shadow · Post by **His Divine Shadow** » 2003-08-22 04:20am

Outlook - scripting + Norton = gave 100% protection against Sobig.F

Glocksman · Post by **Glocksman** » 2003-08-22 04:38am

Mozilla Mail (now Thunderbird) also supports HTML, but scripts are turned off by default, and it implemented MIME *correctly*

Interesting. The only reason I use Calypso (other than it's free) is because it allows me to turn all of that off.

One of my quirks is that I just don't like HTML email, and unless it's from someone I know, I delete it unread.

Post by **The Yosemite Bear** » 2003-08-22 05:39am

Got to love ASVS for one thing...

Teaching every last bleeping Noobe to turn their HTML off....

Alyeska · Post by **Alyeska** » 2003-08-22 10:30am

Darth Wong wrote:Best solution is not to use Windows for E-mail. Use it for games or video editing or other things, but Internet activities should be carried out on a *nix platform if you're genuinely worried about security. And if you must use Windows, then DON'T USE OUTLOOK EXPRESS, for fuck's sake.

I use OE and my solution is simple. I delete ALL e-mail from people I don't know and if I recieve an attachment without prior warning of said attachment, I isolate the e-mail until I can contact the person.

TheFeniX · Post by **TheFeniX** » 2003-08-22 11:13am

I use Outlook Express on three separate PC's (with a total of 5 e-mail addresses) and have not had an infection in well over two years.

Considering that most of the people who get infected with viruses are ignorant of even basic security and OS concepts: exactly how do you expect them to run a Linux distro? And if they do have this knowledge, they should already know how to keep viruses off their PCs.

I find Windows works just fine for me 99% of the time, and I can't really complain about the massive security flaws in MS products because they make us money (Hell, Blaster has created a huge amount of business for us).

phongn · Post by **phongn** » 2003-08-22 01:20pm

OE had the autoexecute nonsense, but nowadays that's off by default. However, most users are fairly computer illiterate and will open attachments without considering what it might be. My dad got a couple Sobig.E e-mails but didn't open it (and uses NS Messenger 7 anyways).

I personally use Ximian Evolution 1.4, which lets you turn off image linking in HTML mail - quite nice. No fucking up the formatting of a message while also protecting you from spam-verification images.

Embracer Of Darkness · Post by **Embracer Of Darkness** » 2003-08-22 01:58pm

Thunderfire wrote:
Embracer Of Darkness wrote:*Fires up the firewalls and checks for uptdates.*

I'm getting sick of these worms.
This is a mail based Virus AFAIK. Getting a good Virus Scanner and Mail Filter is a
better idea.

Thanks for the heads-up. Further action is being taken.

Pu-239 · Post by **Pu-239** » 2003-08-22 04:42pm

Kmail does not enable HTML. By default, it shows you the source, and allows you to render it after checking it's contents.

Crayz9000 · Post by **Crayz9000** » 2003-08-22 06:03pm

phongn wrote:I personally use Ximian Evolution 1.4, which lets you turn off image linking in HTML mail - quite nice. No fucking up the formatting of a message while also protecting you from spam-verification images.

Mozilla Thunderbird (and the mail in version 1.3 and above) have the same feature.

phongn · Post by **phongn** » 2003-08-22 06:32pm

I wonder what Sobig.F's payload was - it went active at 1900 UCT today.

Post by **haas mark** » 2003-08-23 10:43am

So is there a way to get rid of this?

~ver

phongn · Post by **phongn** » 2003-08-23 11:01am

Yes. The best bet is to use your head and not run strange attachments. Otherwise, fire up the virus scanner.

Thunderfire · Post by **Thunderfire** » 2003-08-25 03:14am

Darth Wong wrote: That doesn't work on brand-new viruses, unless you're lucky enough not to get them until after the virus scanner companies identify the new infestation (note: this does not occur until many people have ALREADY been infected) and put out updates which you have already received and installed.

Filtering based on the suffix of the attachment should work against most
mail viruses.

Vertigo1 · Post by **Vertigo1** » 2003-08-25 02:02pm

This folks, is why you should never use Outlook, and open attachments from strange e-mails, no matter who sent it. Hell, running a mail client that doesn't allow you to disable HTML rendering is just ASKING to get bit.

For those that don't already know, to kill HTML rendering in Mozilla Mail (aka Thunderbird) just do the following:

Click view, click on Message Body As, and select "Plain Text". Now all you'll get is the source code. (hell, I'm so anal that I delete any HTML e-mail on sight, no matter who sent it.)

Pu-239 · Post by **Pu-239** » 2003-08-25 05:48pm

Even if the email is from someone you know, don't trust it. Many viruses read the victim's address book and mail from the victim's address.