Sobig-A, the first in a run of six variants, hit the wild a year ago today, Jan. 9. Themalicious family would go on to be known as the fastest-spreading and the most financiallydamaging virus in the history of computers. It also one of the earliest pieces of code tomix a virus with spamming.
Sobig-F, which ran rampant across the Internet in August and early September, has gone downin the history books as the most damaging virus to date. It reportedly caused $36.1 billionin damages.
At this point, MessageLabs, an anti-virus company based in New York, has intercepted 737,125copies of Sobig in 183 countries. At its peak, one in every 17 emails stopped by MessageLabscontained a copy of Sobig-F, the most malicious of the variants. By Dec. 1, more than 32million emails containing the virus had been stopped by the company, easily putting Sobig-Fat the head of various Top 10 Viruses list for 2003.
During Sobig-F’s rampage across the Internet, AOL saw email traffic nearly quardruple ,according to an earlier interview with Nicholas Graham, an AOL spokesman. Graham says AOLscans email attachments at the gateway, checking for viruses. On an average day, the ISPscans approximately 11 million attachments. One day during the Sobig-F attack, the staffscanned 40.5 million email attachments and found 23.7 million of those to be infected withviruses. Of those, 23.2 million were infected with Sobig-F.
Sobig is a mass-mailing worm that can also spread via network shares. When it arrives viaemail, the worm poses as a .pif or .scr file. The sender’s address is spoofed. The worm alsohas updating capabilities and will attempt to download updated versions when certainconditions are met.
The Sobig variants were hitting the wild in fairly fast succession. Each variant carriedcode that would kill the virus off on a certain date, specifically limiting the variant’slifecycle. Soon after one variant died off, another one would emerge to take its place,building on the impact of its predecessors.
Earlier variants of Sobig infected computers and then downloaded Trojans to set the machinesup to be hidden proxy servers. With each variant, the author had a bigger army of machinesset up for the next seeding.
After Sobig-F died out on Sept. 10, anti-virus and security experts were waiting with baitedbreath for the next variant, or Sobig-G, to hit within a matter of days. It didn’t, and itstill has yet to hit the wild.
”I am fairly surprised about that,” says Chris Belthoff, a senior security analyst atSophos, Inc., an anti-virus company based in Lynnfield, Mass. ”It could be that the authoror authors of Sobig are running a little scared. It was such a widespread and damagingvirus, and now he has the Microsoft bounty on his head. This person or persons may be lyinglow out of fear. He might have been too successful for his own good.”
Microsoft Corp. announced in November that it is putting a quarter-of-a-million-dollarbounty on the heads of the virus writers behind the highly destructive Blaster and Sobigworms. The rewards are part of a $5 million fund that Microsoft set aside to battlemalicious code and the hackers and spammers behind it.
But just because the author of Sobig may be laying low right now, it doesn’t mean that thesecurity industry isn’t waiting for the next destructive variant to hit.
”We’re always waiting,” says Belthoff. ”We’re always expecting that one day it willappear in our lab. We’re always on guard.”