Search This Blog

Thursday, November 24, 2005

New Sober.Y variant is 2005 largest email worm outbreak

If you get a message from FBI or CIA or anyone, that looks like this
Examples of such messages include:

Dear Sir/Madam,
We have logged your IP-address on more than 30 illegal Websites.
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
*** Federal Bureau of Investigation -FBI-

and has an attachment file in zip format or any other format, please delete the mail. DO NOT OPEN IT.

The first Sober was found in October 2003, over two years ago. F-Secure believes all 25 variants of this virus have been written by the same individual, operating from somewhere in Germany. Unlike most of the other widespread viruses nowadays, Sober doesn't seem to have a clear financial motive behind it.

Some Sober variants have displayed neo-nazi messages, but the latest version of the virus (Sober.Y) does not do this. However, all Sober variants send German messages to German email addresses and English messages to other addresses.

Several millions of emails infected with Sober.Y have been seen by Internet operators over the last hours.

MessageLabs has so far intercepted over 2.7-million copies of the new Sober virus, many of which are being spoofed to appear as though they are sent from the FBI or the CIA. The first copy was stopped on 21st November. The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months.

These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload. It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations, including MessageLabs.

The virus will send emails in German for domains ending .DE or .AT and a few others, with the remainder being sent in English. It seems that despite warnings, many recipients are still opening the emails allowing the virus to spread still further.

Since the virus first struck on Monday 21st November, the amount of viruses being sent per hour has approximately tripled, indicating that this particular strain of Sober virus has been written to rapidly exploit the so-called ‘zero hour’ holes in anti-virus security software (the time before anti-virus software writers have prepared and distributed an update to repair infected PCs).

Email Systems has noted that there are currently approximately thirty times the usual quantity of virus infected emails being sent and received online. This new virus has doubled email traffic in 24 hours.

Neil Hammerton, CEO of Email Systems, commented: “This is one of the worst viruses to strike in some time, spreading extremely rapidly. Although AV updates are actually now available from the major software vendors, it seems as though this particular variant managed to quickly grab a sufficiently large foothold to continue to propagate once the fixes were unveiled. Again this serves to underline the importance of using a specialist managed service for corporate email as users experience no zero hour syndrome as with AV software, given that our systems are specifically designed to continually check for virus-like activity and block infected emails before they reach the users’ network or PC.”

One of the reasons why this email worm seems to be so successful in spreading is that some of the messages it sends are fake warnings from FBI, CIA or from the German Bundeskriminalamt (BKA).

"The numbers we're now seeing with Sober.Y are just huge", comments Mikko Hypponen, Chief Research Officer at F-Secure Corporation. "This is the largest email worm outbreak of the year - so far!"

No comments: