New Sober Worm Spoofs FBI, CIA Spreads Fast

TechWeb News ^ | November 22, 2005 | Gregg Keizer

[Eagle9]

A new variation of the long-running Sober worm uses extremely effective tactics to trick users into infecting their PCs, security companies said Tuesday, including posing as messages from the FBI and CIA.

Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and F-Secure -- is spreading rapidly, said security experts, fast enough for vendors to have amplified their threat levels Tuesday. Symantec raised its warning to a "3" in its 1 through 5 scale, the first time since the Zotob outbreak in August that the Cupertino, Calif.-based anti-virus vendor has taken a worm to that threat level.

"The rate of its spread is quite high," said Sam Curry, vice president of Computer Associates’ eTrust security group, who also called the raw number of infections "still relatively low, but growing."

U.K.-based MessageLabs disagreed with the second half of Curry's estimate, however. "The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped nearly 3 million copies of the worm from reaching its customers' inboxes.

Sophos, another U.K.-based anti-virus vendor, said that its tallies showed this Sober now accounting for 61 percent of all malware.

Sober.w is the most recent example of the two-year-old Sober family, and shares important characteristics with other variants, including bilingualism (messages arrive in either English or German), address hijacking, and mass-mailing.

Computer Associates' Curry believes the fast spread is due to better-than-average technical skills. "It's using slightly more effective techniques," said Curry, "including running three separate [SMTP] processes. That's becoming somewhat common, because the more simultaneous processes a worm runs, the more copies it can blitz out."

Others, however, credit the enticing bait dangled by the worm for its success. "I just don't see any technical reason why this has popped," said Alfred Huger, senior director of engineering for Symantec's security response team. Instead, he points to the worm's social engineering tricks, which include posing as a message from the CIA or FBI (English), or the Bundeskriminalamt, the German national police agency most like the FBI (German).

These messages, with spoofed return addresses such as "mail@cia.gov" and "admin@fbi.gov," claim that "We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer.

The FBI, in fact, took the unusual step Tuesday of issuing a statement saying that the messages were bogus. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."

"This variant of Sober may catch out the unwary as they open their e-mail inbox," said Graham Cluley, senior technology consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal websites and click on the unsolicited email attachment."

Sober's creator or creators are unknown, although suspicions have long placed them in Germany. Recently, the Bavarian state police (Bayerisches Landeskriminalamt) predicted the release of a minor Sober variant the next day, leading to conjecture by security analysts that the police may be on the trail of the hackers. No arrests have been made of anyone accused of writing a Sober worm. The FBI urged users who had received the Sober.w worm to report it to the Internet Crime Complaint Center.

[Cicero]

Right. I haven't gotten any virus warnings in the past few months, but I do get a lot of suspicious attachments, which I just delete unopened.

One of my inlaws was using a laptop in our house, and I noticed he kept getting ad popups on his desktop. He is a smart guy, but he hadn't been aware of the spyware situation. I found about 90 spyware programs on his computer, installed programs to detect and delete them, spent about five hours cleaning it, but ran into one program that wouldn't delete for love or money. I even deleted in at the DOS prompt, but it hid in the registry under constantly changing names and came back after reboot.

I told him about HijackThis, and after a few days he managed to clean it up.

I go over my kids' computers once a month or so, because very few people seem to keep on top of these thngs, let alone the innocent grandparents you mention. It's a real pain.

[tubebender]

I got one yesterday and cox.net didn't flag it as spam. I posted it on a thread. The zip file was a exe. I'm on a Mac so I would have had to enter my pass word. My address in the header looked like a random spin to me?

[tubebender]

There you go talking about me again...

[Eagle9]

There you go talking about me again....

LOL ! But .. but .. but you're not a new user!

Ahhh ... dodge that with the old "compliment to avoid offending" ploy. Yeah, that's the ticket!

[Vinnie]

I encountered that corrupt definition file problem. That was bad.
That has been the only trouble I have had w/ Trend.
I've used them for several years. I hate Nortons anything.

Been getting lots of updates, two today.

[getmeouttaPalmBeachCounty_FL]

Experienced that, too.

[backhoe]

 

Things you need--(all FREE)
Anti-Virus
AVG Anti-Virus version 7 (free) release available...

 Avast
Firewall
Kerio(Direct Download) Zone Alarm

 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/ both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 

  I use Firefox. Click the link and give it a try.

 

 

Ad-Aware
Spybot S&D

SpywareBlaster
MS MVP Hosts file

Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.

 

The best forum for malware removal:

-SWI Forums-

 

 
http://www.freerepublic.com/focus/f-news/1315720/posts

 Microsoft Releases Anti-Spyware Beta 1 To Public Today.
Microsoft.com ^

 

=================================================

 

 Browser Wars, take two
various FR links | 12-22-04 | The Heavy Equipment Guy
http://www.freerepublic.com/focus/f-news/1306815/posts

...and let your compiler of links drop out of Lurk & Link mode for comment and advice:


Keep your OS updated & patched.

Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall.

[ShadowAce]

[chronic_loser]

My wife got that email. She said "what do you think about that?" and I said, "well, do you REALLY think that if we were involved in something important to have the fbi contact us, that they would contact us by email?" she got a real weird look on her face and then burst out laughing. I said "go ahead and click on that zip file attachment" She said, "nothing happened" I said "THAT's why we run linux, babe."

[JeffAtlanta]

What do you like better about Sygate or Outpost firewall than Zone Alarm?

Also, I'm curious if you feel that a standard router is a good enough hardware firewall.

[backhoe]

"What do you like better about Sygate or Outpost firewall than Zone Alarm?
Also, I'm curious if you feel that a standard router is a good enough hardware firewall."

---

I run older machines, and Zone Alarm seemed to slow them more- might not be a problem with a hot ( gigahertz ) PC.

I use an Asante' FR1004, which has firewalls in both directions- in & out. Far as I know, all modern routers double as firewalls- just be sure to change the password from the default, and poke around the internal settings to be sure WAN ( wide area network ) hasn't been enabled by default.

A more detailed and technical explanation can be found at Gibson Reasearch:

http://grc.com/default.htm

[Calvin Locke]

I've been getting a bunch too, but in the junk mail folder. Didn't recognize any of the senders, and they were all 75Kb.

Makes them easier to spot and delete.

[Ethrane]

Yup...that's them.

The e-mails were all huge...about 75kb. My mcAfee recognized them with a warning.

Today, the number dropped off, and the earthlink server blocked them.