02:18 PM
Another Sober Worm Spreading Quickly
Another version of the dual-language Sober worm hit the Internet mid-day Monday, and by Tuesday was accounting for a stunning 70 percent of all malicious code traffic according to one anti-virus vendor.
Sober.p -- also called Sober.n and Sober.o in the confusing mishmash that's the naming structure of worms and viruses -- is epidemic in Western Europe, said two firms there, Sophos and Kaspersky Labs. Although the worm hasn't made as much headway in the U.S., it's currently the most dangerous new threat on the books, according to Symantec and McAfee, both of which raised their alert warnings to "medium" on Monday afternoon as Sober spread.
"It's currently running at about 70 percent of all mail traffic, worldwide, but it seems to have plateaued," said Ted Anglace, a senior security analyst in Sophos' Boston office. "It's leveling off."
Like earlier Sober variations, this one is bilingual -- it uses both English and German headings and text -- and spreads by mass mailing copies to addresses it steals from detection technologies.
The German versions, which may sport headings such as "Glueckwunsch: Ihr WM Ticket" and "WM-Ticket-Auslosung," often play off European fever for soccer by promising free tickets to next year's FIFA World Cup.
The English editions take more mundane -- and well-traveled -- paths to trick users into opening the attached .zip file. With subject headings such as "Re: Your email was blocked" and "Re:mailing error," Sober.p uses the same social engineering trick of posing as e-mail error messages as earlier iterations.
By packing the worm in an attached .zip file, the writer is hoping to capitalize on some companies' relaxed rules on receiving compressed files. While enterprises regularly filter out other executable file types -- such as .exe and .pif -- because they often harbor malicious code, many still let .zip files through because they're useful in packaging multiple files.
"Data from ISPs shows that this worm is currently the most common malicious program found in mail traffic," said Moscow-based Kaspersky Labs in an e-mail early morning Tuesday, PDT. "Sober.p has broken records in terms of the number of infected messages sent out and speed of propagation throughout Western European (in the Netherlands, Germany, and Hungary, among others)."
But within a few days, said Craig Schmugar, the virus research manager at McAfee, Sober.p should wither away. "Although the numbers for this variant are higher, which may mean it takes a day or two more to die off, I'd be surprised if it was an issue by this weekend."
Anti-virus firms released new signatures to detect and delete the new Sober, or in some cases, crowed that their in-place detection technologies spotted the worm without users needing to update.
Unlike other notable worm families, Sober is relatively benign; for example, it doesn't include any secondary, Trojan horse-like payload, open a backdoor for later communication to the attacker, or even harvest the e-mail addresses it collects.
"Eighteen months ago, this would be the norm," said Schmugar, "but now, we're asking 'is that all there is?' when a worm doesn't have a profit motive."
Not that Sober is harmless. "It's more a nuisance than anything," said Sophos' Anglace, "but there are costs involved with the huge volumes of e-mail that this generates. From a business standpoint, it costs companies bandwidth and direct IT costs to remove infections."
While numerous security analysts have predicted the demise of mass-mailed worms such as Sober, the recent outbreak proves that their death may be, to paraphrase Mark Twain, greatly exaggerated.
"Despite recent claims to the contrary, e-mail viruses are very much alive and well," said Gregg Mastoras, another security analyst with Sophos. "Internet threats require a combination of safe computing practices, including automatic anti-virus protection and updates, a policy of blocking dangerous attachment at the gateway, and user education."
Several free Sober removal tools are available for downloading from the Web, including this one from Symantec and this one from McAfee.