Sobig 'Carpet Bombs' the Internet

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Sobig-F, which has been causing chaos on corporate networks the past three days, is nowbeing called the fastest spreading virus in the industry's history.

''It was a carpet bombing,'' says Chris Belthoff, a senior security analyst with Lynfield,Mass.-based Sophos Inc., an anti-virus company. ''We're judging this to be the fastestspreading worm ever, even surpassing Klez and LoveBug. This is really just a completeswamping, or inundation, of networks... Companies are having their email systems taken downbecause of the sheer volume of emails they're getting. It's a slow down, then a slow to acrawl and then just being taken offline.''

Sobig-F, which first appeared this past Monday as the latest member of the malicious Sobigvirus family, hit the Internet hard, flooding email servers and inboxes. Corporate networksstaggered under the barrage with network access slowing to a crawl, and some email systemsbeing taken temporarily offline to stop the siege.

AOL saw email traffic nearly quardruple yesterday, according to Nicholas Graham, an AOLspokesman. Graham says AOL scans email attachments at the gateway, checking for viruses. Onan average day, the ISP scans approximately 11 million attachments. On Wednesday, the staff scanned 40.5 million email attachments and found 23.7 of those to be infected with viruses. Of those, 23.2 million were infected with Sobig-F.

''People are just getting pummeled, either with the virus or with notifications,'' says MJShoer, president and chief technology officer of Jenaly Technology Group, Inc., an ITprovider and consultant based in Portsmouth, N.H. ''We're just getting beaten on. One of ourclients is seeing a 90 percent increase in email messages. In the case of my mailbox, it'sclose to 70 percent. And I have a firewall, a spam and content filter and anti-virus.''

And Shoer says the virus attack is bringing regular work to a standstill.

''It's rendered IT staffs useless,'' he adds. ''They're just flooded. If there was going tobe a rollout or something, it's just not getting done. We're putting off everything that wasa high priority.''

Shoer also noted that he talked to an IBM engineer on Wednesday who wasn't able to offer himcustomer service because his email was down. Security analysts verified IBM's troubles butthe company could not be reached for comment and its Web site was unresponsive Wednesdayafternoon.

''A lot of corporations and universities had to literally shut down their email networksbecause of the huge volume of traffic of inbound Sobig emails and bounced email messages,''says Steve Sundermeier, vice president of products and services at Central Command Inc., ananti-virus company based in Medina, Ohio. ''If you're talking about a large corporation -- aFortune 100 or a Fortune 200 -- and you take down an email system for an hour, it could costthat corporation a million dollars.''

But three different security experts say the Sobig-F assault seems to have peaked yesterdayafternoon, when the malicious email was accounting for at least 70 percent of all emailflowing around the world. Today, the number is still high but most estimate that it hasdropped down into the 60 percent to 70 percent range.

Sophos' Belthoff says the virus, which is a mass-mailing worm that also can spread vianetwork shares, hit the Net so hard so quickly because of the spam-like spreading techniquethat the author used.

''They carpet bombed the Internet and played the numbers game,'' says Belthoff. ''There werejust millions of copies out there hitting the Internet all at the same time. It's a matterof sending out enough copies so that somebody will click on it. When you send out that many,even a small percentage of a response, is going to make for a successful virus.''

But other security analysts say the virus is hitting the Internet so hard because it isbuilding on the impact of its Sobig predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and thendownloaded Trojans to set the machines up to be hidden proxy servers. ''The author has ahuge army now for the next seeding,'' he says. ''Every Sobig variant becomes bigger andbigger, and we believe it's because of this army he's building of infected machines.''

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that thenext variant will hit on Sep. 11 or soon after. And if that variant builds on the malicioussuccess of Sobig-F, then the damage could be even worse.

AOL's Graham says they are already planning defenses for the next Sobig attack. ''We're already gearing up for the next variant, Sobig-G, if you will,'' he says.

When the worm arrives via email, it poses as a .pif or .scr file. The sender's address isspoofed. The subject lines used are taken from a list, including 'Re: That movie', 'Re:Wicked screensaver', 'Re: Approved' and 'Your details'.

Submit a Comment

Loading Comments...