Posted on 11/22/2005 5:33:41 PM PST by Eagle9
A new variation of the long-running Sober worm uses extremely effective tactics to trick users into infecting their PCs, security companies said Tuesday, including posing as messages from the FBI and CIA.
Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and F-Secure -- is spreading rapidly, said security experts, fast enough for vendors to have amplified their threat levels Tuesday. Symantec raised its warning to a "3" in its 1 through 5 scale, the first time since the Zotob outbreak in August that the Cupertino, Calif.-based anti-virus vendor has taken a worm to that threat level.
"The rate of its spread is quite high," said Sam Curry, vice president of Computer Associates eTrust security group, who also called the raw number of infections "still relatively low, but growing."
U.K.-based MessageLabs disagreed with the second half of Curry's estimate, however. "The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped nearly 3 million copies of the worm from reaching its customers' inboxes.
Sophos, another U.K.-based anti-virus vendor, said that its tallies showed this Sober now accounting for 61 percent of all malware.
Sober.w is the most recent example of the two-year-old Sober family, and shares important characteristics with other variants, including bilingualism (messages arrive in either English or German), address hijacking, and mass-mailing.
Computer Associates' Curry believes the fast spread is due to better-than-average technical skills. "It's using slightly more effective techniques," said Curry, "including running three separate [SMTP] processes. That's becoming somewhat common, because the more simultaneous processes a worm runs, the more copies it can blitz out."
Others, however, credit the enticing bait dangled by the worm for its success. "I just don't see any technical reason why this has popped," said Alfred Huger, senior director of engineering for Symantec's security response team. Instead, he points to the worm's social engineering tricks, which include posing as a message from the CIA or FBI (English), or the Bundeskriminalamt, the German national police agency most like the FBI (German).
These messages, with spoofed return addresses such as "mail@cia.gov" and "admin@fbi.gov," claim that "We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer.
The FBI, in fact, took the unusual step Tuesday of issuing a statement saying that the messages were bogus. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."
"This variant of Sober may catch out the unwary as they open their e-mail inbox," said Graham Cluley, senior technology consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal websites and click on the unsolicited email attachment."
Sober's creator or creators are unknown, although suspicions have long placed them in Germany. Recently, the Bavarian state police (Bayerisches Landeskriminalamt) predicted the release of a minor Sober variant the next day, leading to conjecture by security analysts that the police may be on the trail of the hackers. No arrests have been made of anyone accused of writing a Sober worm. The FBI urged users who had received the Sober.w worm to report it to the Internet Crime Complaint Center.
Right. I haven't gotten any virus warnings in the past few months, but I do get a lot of suspicious attachments, which I just delete unopened.
One of my inlaws was using a laptop in our house, and I noticed he kept getting ad popups on his desktop. He is a smart guy, but he hadn't been aware of the spyware situation. I found about 90 spyware programs on his computer, installed programs to detect and delete them, spent about five hours cleaning it, but ran into one program that wouldn't delete for love or money. I even deleted in at the DOS prompt, but it hid in the registry under constantly changing names and came back after reboot.
I told him about HijackThis, and after a few days he managed to clean it up.
I go over my kids' computers once a month or so, because very few people seem to keep on top of these thngs, let alone the innocent grandparents you mention. It's a real pain.
There you go talking about me again...
LOL ! But .. but .. but you're not a new user!
Ahhh ... dodge that with the old "compliment to avoid offending" ploy. Yeah, that's the ticket!
I encountered that corrupt definition file problem. That was bad.
That has been the only trouble I have had w/ Trend.
I've used them for several years. I hate Nortons anything.
Been getting lots of updates, two today.
Experienced that, too.
My wife got that email. She said "what do you think about that?" and I said, "well, do you REALLY think that if we were involved in something important to have the fbi contact us, that they would contact us by email?" she got a real weird look on her face and then burst out laughing. I said "go ahead and click on that zip file attachment" She said, "nothing happened" I said "THAT's why we run linux, babe."
What do you like better about Sygate or Outpost firewall than Zone Alarm?
Also, I'm curious if you feel that a standard router is a good enough hardware firewall.
"What do you like better about Sygate or Outpost firewall than Zone Alarm?
Also, I'm curious if you feel that a standard router is a good enough hardware firewall."
Makes them easier to spot and delete.
Yup...that's them.
The e-mails were all huge...about 75kb. My mcAfee recognized them with a warning.
Today, the number dropped off, and the earthlink server blocked them.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.