SoBig worm aims to turn PCs into spam machines

Reuters | August 21, 2003

[HAL9000]

Several Internet worms that have besieged computers for over a week played havoc again, including one called Sobig.F, whose aim was to turn PCs into spam machines and was believed to be the fastest-growing virus ever, experts said.

Sobig.F drops software onto infected Windows computers that open them to be used later for distributing Internet spam -- unwanted e-mails and product promotions, experts said. It also represents a new trend in converging e-mail spamming and virus software writing, they said.

"We believe [Sobig.F] has been written by a spammer or spammers" looking for ways to get past spam filters, said Mikko Hypponen, manager of antivirus research for Finnish security firm F-Secure. "For once, we have a clear motive for a virus -- money."

Security experts said it was difficult to ascertain how many computers had been infected by the Sobig.F worm. Worms are viruses that spread through networks.

Internet service America Online Inc., however, said it blocked about 11.5 million copies, while security firm MessageLabs stopped more than 1 million copies within the first 24 hours and dubbed Sobig.F the fastest-growing e-mail virus seen yet.

Sobig.F hit the computing world as corporations were still recovering from several worms that spread through holes in Microsoft Corp.'s Windows operating systems, including the Blaster worm. Also called LovSan, it has infected and crashed hundreds of thousands of computers since last week.

The Welchi, or Nachi, worm, which surfaced on Monday, infected 72,000 computers used by the U.S. Navy and Marine Corps and crippled Air Canada's reservation counters and call centers.

CSX Transportation said yesterday that a virus infection had slowed its dispatching and signal systems, forcing it to halt passenger and freight train traffic, including the morning commuter train service in Washington.

Spam-virus convergence

Sobig.F hit home users particularly hard, experts said. It arrives in an e-mail with an attachment that when opened infects the computer and sends itself on to other victims using a random e-mail address from the address book, making it difficult to trace the worm back to its source.

The SoBig family of worms represents a new trend in the convergence of worm and spam techniques for more widespread and faster deployment, experts said.

Virus writers are using software that spammers employ to send bulk spam messages. Conversely, spammers are starting to use methods incorporated by virus writers to spread their messages and avoid detection, said Brian Czarny, marketing director at MessageLabs.

Previous SoBig versions loaded a program onto infected PCs that broadcast spam to other computers, thus turning the PCs into so-called "spam relays."

Sobig.F downloads a Trojan onto infected computers, which could later be remotely activated to send spam, experts said.

"There are computers scanning the Internet for open relays so spammers can jump from one machine to the next and be able to send millions of spam messages and have them not be traced back to them or be blocked," said Jimmy Kuo, research fellow at antivirus vendor Network Associates Inc.

Sobig.F, which expires Sept. 10, is spreading quickly because it sends multiple e-mails simultaneously and spreads to other computers on a shared network, said experts, who predict there will be another version in the near future.

[netmilsmom]

You know, I got an e-mail from Prayermanager this morning. I had never signed up for these and have tried to unsubscribe. Anyway, this one just said, "The Movie" as an attachment. I blew it out.

Was it a worm?

[Steve_Seattle]

In my opinion, the penalty for Internet sabotage, creating viruses, etc., should be life imprisonment. I am so tired of these smelly little creeps.

[thoughtomator]

Okay, let's reason this out. If the virus is setting up spam relays, have the FBI track down the beneficiaries of the relay (by the totally obvious method of responding to the spam, posing as a customer) and bust them for everything that could possibly stick.

[PoorMuttly]

Muttly want SoBig worm.

Muttly eat Spam...yum !

Can Muttly have more Spam now ?

SoBig worm nice. Muttly WANT !!!

[thoughtomator]

You can be confident that any unsolicited email attachment is an attempt to gain control of your computer. Worm, trojan, virus, or whatever, doesn't really matter once they have control of your machine.

[WayneM]

I vote for execution. Seriously.

[Salo]

Yep.

Was it a worm?

[So Cal Rocket]

Yes... the attachment has shown up as "your details", "your application", "cool screensaver", "the movie"

[jennyp]

Can Muttly have more Spam now ?

It's easy: Go onto a couple newsgroups, post a few messages, and use your real email address in the From: line.

Spam: Slice it up nice & thin, and it's better bacon than bacon. Yum!

[Salo]

BTW, update your virus scanner definitions. This one has been detectable for a few days now.

[RikaStrom]

The movie

Your Details

Wicked ScreenSaver

These are the three that are showing up here. I'm getting tired of deleting the dang things.

[steve-b]

Also, any attempt to evade spam filtering should be treated like any other attempt to gain unauthorized access to other people's computers.

[PoorMuttly]

Will do. Always hungry. Bacon Spam and Bacon a Muttly favorite...especially with cheese...and bird...uh...only joking....cookie...that's it....Muttly call cookie "bird"..

...(did they buy that.....)

[Physicist]

I hope the writer of this worm appreciates that people are routinely killed for sums of money that are a tiny fraction of what he cost probably tens of thousands of people and companies.

I wouldn't kill him, myself, but if his mortal remains turn up in a suitcase somewhere, and somehow I know how they got there, I won't be sharing that knowledge with the police.

[Uncle Hal]

# 3 writes-"In my opinion, the penalty for Internet sabotage, creating viruses, etc., should be life imprisonment. I am so tired of these smelly little creeps." Reply-You are so right. If we put some tough laws on the books and enforce them you will see the amount of spam and viruses drop dramatically.

[Mike Fieschko]

The Welchi, or Nachi, worm, which surfaced on Monday, infected 72,000 computers used by the U.S. Navy and Marine Corps

I thought the Lexington and Ticonderoga took out the



Nachi back in 1944

[browardchad]

I just downloaded an evaluation copy of Mailwasher (firetrust.com), and it's really coming in handy. The setup is fairly easy, but the neat feature is that it accesses incoming mail (from one or multiple accounts) on the server, before it's downloaded. From there, you can choose to view the entire message (photos & attachments are blocked), view just the header, and then either blacklist it (the sender or the entire domain), bounce it back to the sender, delete it, add it to a friends list, or set up a filter for it. You still have to open each mailbox in your e-mail program to download the messages you actually want on your computer, but it prevents spam -- both dangerous and innocuous -- from ever reaching your computer.

[Allegra]

Yes... the attachment has shown up as "your details", "your application", "cool screensaver", "the movie"

Been getting those all day. I've also been getting a bunch on "Mail Undeliverable" messages with those titles. My computer must be sending out spam.

[HAL9000]

The setup is fairly easy, but the neat feature is that it accesses incoming mail (from one or multiple accounts) on the server, before it's downloaded.

That is a good feature. If your ISP has a web mail interface, it can be used to screen mail too.