×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.

Sobig-F Overruns Networks, Email Traffic

Download our in-depth report: The Ultimate Guide to IT Security Vendors

The latest variant of the Sobig worm is hammering corporate networks, crashing emailservers, staggering Internet traffic and accounting for 70 percent of all email today, according to security analysts.

They also say Sobig-F, which was first detected Monday afternoon, is topping offwhat is being called the worst worm week in history.

"This is unbelievable," says Steve Sundermeier, vice president of products and services atCentral Command Inc., an anti-virus company based in Medina, Ohio. ''We have never seen thissort of activity before... Sobig-F is causing substantial impact on business right now.Almost three out of every four messages will be Sobig or it will be a failed deliverymessage generated by Sobig.''

And Sundermeier says that's not even the worst of it.

''Usually with mass-mailing viruses, you have a peak day early on,'' adds Sundermeier.''We're not seeing any significant degradation right now. We haven't even hit the peak yet.That's the really bad news.''

Sobig-F is a mass-mailing worm that also can spread via network shares, according to Sophos,Inc., an anti-virus company based in Lynfield, Mass. When it arrives via email, the wormposes as a .pif or .scr file. The sender's address is spoofed. The subject lines used aretaken from a list, including 'Re: That movie', 'Re: Wicked screensaver', 'Re: Approved' and'Your details'.

In fact, the worm has falsely implicated Jupitermedia Corp. , the parent of this Web site, by forging e-mail headers listing admin@internet.com as the sender. Jupitermedia is working with law enforcement authorities in an attempt to stop the worm. (For more details, see this related story.)

Security experts say Sobig-F, which is just the latest in the malicious family of Sobigworms, is hitting the Internet so hard because it is building on the impact of its Sobigpredecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and thendownloaded Trojans to set the machines up to be hidden proxy servers. ''The author has ahuge army now for the next seeding,'' he says. ''Every Sobig variant becomes bigger andbigger, and we believe it's because of this army he's building of infected machines.''

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that thenext variant will hit on Sep. 11 or soon after. And if that variant builds on the malicioussuccess of Sobig-F, then the damage could be even worse.

''Sobig-F has quickly become the most widespread virus in the history of email worms andit's spreading very rapidly,'' says Ken Dunham, malicious code intelligence manager withReston, Va.-based iDefense, Inc. ''Corporate networks are just being blasted with a ton ofemails, forcing them to be very aggressive with gateway and content-based filters. Asservers are busy processing all the extra email, it affects their ability to get legitimateemail to people.''

Dunham notes that there have been more than 1 million interceptions of the worm in the last24 hours. The average significant worm will get 10,000 to 50,000 interceptions in a day.

''I've never seen anything like this,'' says Dunham.

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based inLynfield, Mass., says Sobig-F is just capping off an extremely bad string of viruses.

The Blaster worm, which exploited what could be the most widespread Windows vulnerability,first hit on Monday, Aug. 11. Blaster had IT managers hopping to patch up holes when severalvariants of it hit in the next few days. Then Graybird-A, a backdoor Trojan, appeareddisguised as a patch for the Windows vulnerability that Blaster had been exploiting. Afterthat, Nachi-A and Dumaru-A both hit.

''This has just been the worst worm week ever,'' says Belthoff. ''Worms this past week havecaused incredible slowdowns, if not complete disruption of networks... All you need is a fewinfections to shut down an entire mail system.''

Submit a Comment

Loading Comments...