Posted on 11/22/2005 5:33:41 PM PST by Eagle9
A new variation of the long-running Sober worm uses extremely effective tactics to trick users into infecting their PCs, security companies said Tuesday, including posing as messages from the FBI and CIA.
Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and F-Secure -- is spreading rapidly, said security experts, fast enough for vendors to have amplified their threat levels Tuesday. Symantec raised its warning to a "3" in its 1 through 5 scale, the first time since the Zotob outbreak in August that the Cupertino, Calif.-based anti-virus vendor has taken a worm to that threat level.
"The rate of its spread is quite high," said Sam Curry, vice president of Computer Associates’ eTrust security group, who also called the raw number of infections "still relatively low, but growing."
U.K.-based MessageLabs disagreed with the second half of Curry's estimate, however. "The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped nearly 3 million copies of the worm from reaching its customers' inboxes.
Sophos, another U.K.-based anti-virus vendor, said that its tallies showed this Sober now accounting for 61 percent of all malware.
Sober.w is the most recent example of the two-year-old Sober family, and shares important characteristics with other variants, including bilingualism (messages arrive in either English or German), address hijacking, and mass-mailing.
Computer Associates' Curry believes the fast spread is due to better-than-average technical skills. "It's using slightly more effective techniques," said Curry, "including running three separate [SMTP] processes. That's becoming somewhat common, because the more simultaneous processes a worm runs, the more copies it can blitz out."
Others, however, credit the enticing bait dangled by the worm for its success. "I just don't see any technical reason why this has popped," said Alfred Huger, senior director of engineering for Symantec's security response team. Instead, he points to the worm's social engineering tricks, which include posing as a message from the CIA or FBI (English), or the Bundeskriminalamt, the German national police agency most like the FBI (German).
These messages, with spoofed return addresses such as "mail@cia.gov" and "admin@fbi.gov," claim that "We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer.
The FBI, in fact, took the unusual step Tuesday of issuing a statement saying that the messages were bogus. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."
"This variant of Sober may catch out the unwary as they open their e-mail inbox," said Graham Cluley, senior technology consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal websites and click on the unsolicited email attachment."
Sober's creator or creators are unknown, although suspicions have long placed them in Germany. Recently, the Bavarian state police (Bayerisches Landeskriminalamt) predicted the release of a minor Sober variant the next day, leading to conjecture by security analysts that the police may be on the trail of the hackers. No arrests have been made of anyone accused of writing a Sober worm. The FBI urged users who had received the Sober.w worm to report it to the Internet Crime Complaint Center.
Heh... what a bunch of tools.
Bag. Of. Hammers.
They probably *are* watching DU.....:)
I think the authors of this ought to be caned to death and left to rot in the sun. And then severely punished.
Catrina (1000+ posts) Mon Nov-21-05 03:18 PM
19. Some freeper type in his underwear in the basement may have attached a virus to that ~
I've gotten at least 10 infected e-mails, FBI,CIA, and a few other ad's.
Trend Micro has caught all of them.
I was afraid that was the case. Thank goodness for antivirus software!
I also received a lot of emails from a lot of different people who used AOL with a subject line saying that my mail couldn't be delivered.
One of the secretaries at work got this today. She figured out it was nonsense and deleted it. We're proud of our users sometimes :-)
Hey, one of the dummies did have a good idea, forward it to the Nigerians.
Scary stuff. Yeah, and I did delete it, but not right away. Wow, my email rarely lets anything through...
I got the same message, from the CIA though. I didn't open attachment. My virus scans -including AVG - didn't find anything suspicious with it either. My email is usually very thorough and I rarely ever get anything like that, and when I do, it's usually detected by my virus scans.
My corporate AV system is Trend. They've been pretty good about getting updates out lately. On the whole I'm pretty happy with them. The new corporate tools with "repair" tools do, in fact, rock.
They've had their bad moments though... a couple months back they realeased a corrupt pattern file that somehow started locking up computers all across the company. Centralized "push" systems are awesome until they start pushing out something very, very bad. :-)
No... don't forward it to the Nigerians yet. I'm still waiting for this guy's check to clear...
:-)
I got dozens of sober virus emails last summer, and Norton detected them all. Either this was virus-free, or it was so much modified that Norton will need an update.
I notice that my Virus Definitions were just updated today. I'm not sure if that was a regular update or a response to this threat.
Do you ever have problems with Trend Micro's Spyware Exterminator getting stuck during a scan?
Since the signature is changing every few hours and AV software is having trouble keeping up, this requires a little Internet common sense to avoid getting infected. Imagine how many new users, like grandmothers and grandfathers, get scared and open the attachment when they read a message like this.
"We have logged your IP-address on more than 30 illegal Websites."
and that message is from the FBI or CIA.
Thank you for all this inof Eagle. I just switched from Norton to AVG. These things terrify me! appreciate your time to share this
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.