|
Posted on 08/19/2003 5:14:40 PM PDT by Hal1950
The latest variant of the SoBig lineage has mulitple infection vectors and hidden exploit channels. For example, spam normally represents 30 to 60 percent of daily e-mail volume on the Internet. The new capabilities embedded in the SoBig.E worm will increase that volume by a factor of 10.
The SoBig.E worm , released two months ago on the Internet, continues to spread from unprotected computers. Some Internet security analysts fear that this latest variant of the SoBig family -- much like possible future variants of the new Microsoft Blaster or LovSan worm that began to proliferate early this week -- will cause long-term threats to Internet security.
Unlike the rather simple Blaster worm that takes advantage of a vulnerability in Microsoft's operating system, the SoBig.E worm's unique design includes a maintenance channel for future updates and a back door that can provide hackers with access to infected machines. The worm spreads via e-mail and shared files over networks.
SoBig.E itself does little harm to infected computer systems. Its biggest threat is the security hole it creates in infected PCs and networks. It also has the ability to open ports so that spammers can use infected systems as mail relays.
"SoBig.E is the first worm to use hacking technology wrapped around a spam delivery engine," William Hancock, vice president and chief security officer for Cable & Wireless (NYSE: CWP) , told TechNewsWorld.
Some analysts do not think the effects of the SoBig.E worm will fade anytime soon. Although the source code has timed out -- meaning the most recent iteration of the worm is no longer proliferating on its own -- many hackers now have access to compromised systems in almost every corner of the Internet.
Jerry Brady, CTO of Guardent, told TechNewsWorld that hackers have been much more active in exchanging information about the SoBig.E source code than they have with other variants. Great potential for harm lies in the worm's built-in software maintenance channel, which hackers can easily use to reverse engineer the code and release the worm again.
Brady said the multiple infection vectors in SoBig.E give this worm a much more virulent means of spreading than previous generations of SoBig. Its primary point of attack is file sharing, which gives it the ability to propagate quickly on corporate networks. Its secondary attack vector is e-mail systems.
The worm's ability to cull local files on infected PCs adds to its spreadability. And if you add to all of these capabilities the fact that many users are not well educated about safe computer practices, it seems likely that the SoBig.E worm will be dangerous for many years to come.
Worm Melee
Many PC users on networked computers are more vulnerable because they leave certain channels exposed. Once a network system is infected with SoBig.E, the worm searches for connected machines to copy itself to startup folders.
"This [stage of the infection process] will fail unless users are sharing their Windows directories with write access turned on," Mikko Hermanni Hyppönen, director of anti-virus research for Finland-based F-Secure, told TechNewsWorld. "[Granting write access] is something that should never be done."
Knowing the sender of a message is no safeguard against infection. "SoBig.E is capable of spoofing familiar addresses," Dee Liebenstein, a product manager with Symantec Security Response, told TechNewsWorld. "People have to think before opening an attached file, whether they know the sender or not -- and they need updated virus definitions."
Analysts agree that a good portion of the threat from the SoBig.E Worm could have been mitigated by rigorous maintenance of virus scanner definitions and carefully applied settings on firewall software.
Annelida Tactics
SoBig.E constructs outgoing messages using its own mail engine -- based on the Simple Mail Transfer Protocol (SMTP) -- and sends the infecting code in an attached ZIP archive. Compressing the infection into a ZIP file gives the worm the ability to sidestep extension- or executable-blocking rules in recipients' e-mail programs. The worm cannot infect a computer unless the user actually decompresses the ZIP file and runs the malicious program.
Once the user activates the code, the worm finds new victims in the infected machine's address book and uses its own SMTP engine to send those new addresses the same attached ZIP file. The worm searches through files in the infected machine, looking specifically for files that contain e-mail addresses.
You can spot a potentially infected file by noting two mail message characteristics. The body of the message will contain the following sentence: "Please see the attached zip file for details." The attachment line will read "Your_details.zip." The file inside the ZIP archive is called "details.pif."
Users also should be wary of attached files with a ".ZI" extension. The worm can create an outgoing message with the closing quotation mark missing. Some e-mail programs drop the final letter of the extension as a result.
Once activated by opening the infected file, the worm copies itself to the file "winssk32.exe" and creates two Windows Registry values so that the infected application will run when Windows restarts. Additionally, the worm can create a file called "MSRRF.DAT," which some analysts have said is one of the ways the malware allows its creators to upgrade and maintain activity in infected systems.
Effects of the Worm
Hancock said the backdoor that SoBig.E creates is the primary purpose of the worm. When the worm rampantly spreads, the traffic it generates can slow down networks -- much like the Microsoft Blaster worm -- but the SoBig.E worm gives remote attackers the ability to download and run files on an infected system.
Ultimately, the ability to hijack systems to create spam and other Internet mayhem will continue to have a major impact on the communications industry, Hancock said. In a normal day, his company e-mail volume is between 100,000 and 200,000 messages. Because of SoBig.E, he estimates that over the next three months, volume will spike to 1 million messages per day.
Generally speaking, spam normally represents 30 to 60 percent of daily e-mail volume on the Internet. "The new capabilities in SoBig.E will increase that volume by a factor of ten," said Hancock.
Perhaps the most likely way this could happen is through uneducated PC users who do not know that their computers have been hijacked by the worm's code. These users unwittingly allow their computers to be used as a conduit for file exchanging and spam relaying. Such abuses can just as easily crash a single user's computer as they can an entire corporate network, concluded Hancock.
No End in Sight
The SoBig.E worm might well be the ticket to the promised land for both hackers and spammers -- and both groups stand to profit from it. "Revenue is driving the use of this worm," Hancock said. "As long as there is a source of revenue for spam, this sort of activity will continue."
Hancock said there is no easy solution to the kind of attacks posed by the SoBig.E worm as long as existing Internet protocols remain unchanged. The Internet is using protocols designed in the 1970s, he said, warning that today's millions of Internet users are relying on a system that has no built-in protocol for security measures.
The entire SoBig worm family is linked by a unique trait. The original worm writer created an expiration date on each variant and kept releasing new variants when the old one stopped spreading. SoBig.E -- which continues to spread despite its expiration date -- seems to have broken that trend. The anticipated SoBig.F has not yet appeared.
|
Pegasus Mail, my friends: better than Outlook because it's FREE and it's not Outlook!
--Boris
But if you ban spam then your only taking spam out of the hands of law obeying citizens, giving us no defense against illegal spammers.
hehe..jk
Do Pegasus files not contain email addresses?
Pegasus Mail, my friends: better than Outlook because it's FREE and it's not Outlook!
--Boris
You're right. I wish that Mozilla was a bit more stable, and I'm looking at Thunderbird...
I hope you don't mind, but I posted this in some Yahoo groups that I frequent, after I saw a number of files that had been posted which were infected by SoBig.F.
Please excuse me for going into GEEK MODE, but I feel the need to do this...
Well, this is really important. It seems that a number of people have been posting some files on Yahoo groups, and they're virus files. Don't blame them, they may not know they're doing it... Plus, some virus emails can hide who actually sent them by randomly choosing the "source" from your address book!
NEVER download a file with a PIF extension... Or COM, EXE, VBS, EML, RAR... Hell, the list goes on and on! In fact, unless you know for sure what you're trying to download, "Just Say No!"
Even more important, NEVER, EVER, run a file attachment in an email, even if you know who the sender is!!! The only time you should ever click on an attachment is if you're expecting it! Today, a virus will send itself out to everyone in the an infected computer's address book, without the knowledge of the sender!
So if you don't have virus protection, get some, NOW!!!!!
Those files like details.pif and your_details.pif are infected with the w32.sobig.f@mm virus...
Here are some places to visit...
http://www.mcafee.com Mcafee - Network Associates http://www.sarc.com Symantec - Norton http://www.grisoft.com (freeware AV software... Excellent, but because it's free, it doesn't have most of the bells and whistles, like autoupdate. You have to do it manually, unless you buy the advanced version)
http://windowsupdate.microsoft.com for the latest patches
http://www.microsoft.com/technet/treeview/?url=/technet/security/tools/Tools/MBSAhome.asp The Microsoft baseline security analyzer... Only for Windows NT, Windows 2000, and windows XP.
http://www.microsoft.com/technet/treeview/?url=/technet/columns/security/essays/10imlaws.asp The 10 laws of Security. Not everything you need to know, but a good start.
http://www.microsoft.com/security/home/beyond_basics.asp A good place to go in general.
http://grc.com Steve Gibson's place... Lots of great diagnostics and utilities. Be sure to get his socketlock, sockettome, shootthemessenger. Lots of stuff to turn off dangerous services, and test for vulnerabilities. Be sure to run the "Shields Up" test to see how vulnerable you are.
If you can afford it, and even if you can't (hell, it's only $60 or so), if you have DSL or a cable connection, YOU NEED A HARDWARE ROUTER/FIREWALL!!!!!!!! Linksys makes a nice one, and they go on sale all the time at Best Buy, CompUSA, Circuit City, and Microcenter. Believe me, they DO HELP TO PROTECT YOU!!!! In the last 30 minutes alone, my firewall has been "probed" 56 times by different worms and trojans... Most of them on port 135, which is the MSBlast worm that shut down the Maryland DMV! But my computer is safe from that and many other attacks, thanks to the firewall.
But nothing will protect you if you do something stupid... So don't run any attachments unless you're expecting them from someone you know.
And PLEASE!!!! If you use Outlook or Outlook Express, be sure to disable the "Preview Pane!" If it's enabled, and you get an email with an embedded virus, simply by highlighting the message **which you have to do in order to delete the message**, you will have already infected your computer before you can delete it!!!! To disable it, go to the View Menu at the top of the screen, select "Layout" and uncheck the "Show Preview Pane" box! If you know who sent you the message, and there's nothing suspicious about it, you can "double click" on the message to read it. If you're not sure, you can right mouse click on the message, to bring up a a menu, choose "Properties" then message source to read the raw message. It'll be hard to read, but you will see pretty quickly if it's something that you don't want to open. Again, this WILL NOT launch a virus infection!
I know that there's a "best practices" guide for securing your computer available at http://www.microsoft.com/practices , but I can't seem to find it. When I do, I'll be sure to post it here.
Take it easy,
Mark
Oh, so you're a "Dinosaur Trainer?" How's life in the "Dinosaur Pen?"
Don't hate me... I had a System 370 "Green Card" (yup, the yellow one!), and I remember ONE 360/370 OS assembly command to this day... BALR .
And I do seem to recall that if you submitted a job with a job time of 0, it could crash the system... But it's been too many years... I programmed in assembly language on keypunch!
Mark
Oh, so you're a "Dinosaur Trainer?" How's life in the "Dinosaur Pen?"
Don't hate me... I had a System 370 "Green Card" (yup, the yellow one!), and I remember ONE 360/370 OS assembly command to this day... BALR .
And I do seem to recall that if you submitted a job with a job time of 0, it could crash the system... But it's been too many years... I programmed in assembly language on keypunch!
Mark
My amazing luck holds. I have never in all the years I have used computers (a long time) had A) a head crash, or B) a virus escape detection by anti-virus software and cause actual damage to my machine. I have never lost data on a drive. I have lost two machines to lightning strikes, but I was able to install those drives on new machines and retrieve the data without resort to recovery software.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
This SoBig virus is a major pain in the butt. I got sent the thing 3 or 4 times yesterday, and a half-dozen times already today. The little Norton box pops up and makes it go away before I even see it, but I have to click on the damned thing every time it shows up. That virus must really be getting around.