Sobig 'Carpet Bombs' the Internet

By Sharon Gaudin | Aug 21, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3066631/Sobig-Carpet-Bombs-the-Internet.htm

The latest variant of the Sobig worm is hammering corporate networks, crashing email servers, and staggering Internet traffic. Yesterday alone it accounted for 70 percent of all email traffic, according to security analysts.

The analysts also say Sobig-F, which was first detected Monday afternoon, is topping off what is being called the worst worm week in history.

"This is unbelievable," says Steve Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio. "We have never seen this sort of activity before...Sobig-F is causing substantial impact on business right now. Almost three out of every four messages will be Sobig or a failed delivery message generated by Sobig."

And Sundermeier says that's not even the worst of it. "Usually with mass-mailing viruses, you have a peak day early on. We're not seeing any significant degradation right now. We haven't even hit the peak yet. That's the really bad news."

Sobig-F is a mass-mailing worm that can also spread via network shares. According to F-Secure, the latest variant of Sobig comes with a large attachment (around 70KB) and has its own SMTP engine, as well as routines to directly query DNS servers and make requests using the Network Time Protocol.

When it arrives via email, the worm poses as a .pif or .scr file. The sender's address is spoofed. The subject lines used are taken from a list, including 'Re: That movie,' 'Re: Wicked screensaver,' 'Re: Your application,' 'Re: Approved,' and 'Your details.' The worm also has updating capabilities and will attempt to download updated versions when certain conditions are met.

Building an Army...for Future Attacks?

Security experts say Sobig-F, which is just the latest in the malicious family of Sobig worms, is hitting the Internet so hard because it is building on the impact of its Sobig predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and then downloaded Trojans to set the machines up to be hidden proxy servers. "The author has a huge army now for the next seeding," he says. "Every Sobig variant becomes bigger and bigger, and we believe it's because of this army he's building of infected machines."

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that the next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious success of Sobig-F, the damage could be even worse.

"Sobig-F has quickly become the most widespread virus in the history of email worms, and it's spreading very rapidly," says Ken Dunham, malicious code intelligence manager with Reston, Va.-based iDefense, Inc. "Corporate networks are just being blasted with a ton of emails, forcing them to be very aggressive with gateway and content-based filters. As servers are busy processing all the extra email, it affects their ability to get legitimate email to people."

Dunham notes that there have been more than 1 million interceptions of the worm in the last 24 hours. The average significant worm will get 10,000 to 50,000 interceptions in a day.

"I've never seen anything like this," says Dunham.

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in Lynfield, Mass., says Sobig-F is just capping off an extremely bad string of viruses.

The Blaster worm, which exploited what could be the most widespread Windows vulnerability, first hit on Monday, Aug. 11. Blaster had IT managers hopping to patch up holes when several variants of it hit over the next few days. Then Graybird-A, a backdoor Trojan, appeared disguised as a patch for the Windows vulnerability that Blaster had been exploiting. After that, Nachi-A and Dumaru-A both hit.

"This has just been the worst worm week ever," says Belthoff. "Worms this past week have caused incredible slowdowns, if not complete disruption of networks...All you need is a few infections to shut down an entire mail system."

Sobig.F Targets Jupitermedia

The Sobig-F worm has been particularly painful for Jupitermedia Corp. (the parent of this Web site). The worm has falsely implicated the company by forging e-mail headers listing admin@internet.com as the sender. Jupitermedia is working with law enforcement authorities in an attempt to stop the worm. (For more details, see this related story.)

Jupitermedia CTO Mark Berns reports the company has already handled more than 3 million bounced e-mails over the past two days. On a normal day, bounced emails total about 120,000, but Berns says returned mail to the spoofed admin@internet.com address has been a nightmare to deal with.

"[Yesterday alone] we received about one and a half million bounced mails. The anti-virus definitions have been updated to block mails from that address, which is theoretically what they're supposed to do. So, we are being bombarded with the bounces. It is saturating our network and hogging bandwidth.

"It has been all hands on deck here. My team has been working around the clock just to keep our e-mail flowing. This week has been a challenge like none we've seen. It's the worst we've dealt with all the worms," he says, referring to the Blaster and Welchia viruses that slowed enterprise networks to a crawl most of last week.

And, with fears that several new Sobig variants will appear in the future, Berns is resigned to dealing with more headaches in the coming weeks. "Who knows what Sobig.G or Sobig.H will do?"

Page 2: Sobig 'Carpet Bombs' the Internet

The Fastest Spreading Virus in History

Sobig-F is now being called the fastest spreading virus in the industry's history.

"It was a carpet bombing," says Sophos Inc.'s Chris Belthoff. "We're judging this to be the fastest spreading worm ever, even surpassing Klez and LoveBug. This is really just a complete swamping, or inundation, of networks...Companies are having their email systems taken down because of the sheer volume of emails they're getting. It's a slow down, then a slow to a crawl and then just being taken offline."

Sobig-F, which first appeared this past Monday as the latest member of the malicious Sobig virus family, hit the Internet hard, flooding email servers and inboxes. Corporate networks staggered under the barrage with network access slowing to a crawl and some email systems temporarily taken off-line to stop the siege.

AOL saw email traffic nearly quadruple yesterday, according to Nicholas Graham, an AOL spokesman. Graham says AOL scans email attachments at the gateway, checking for viruses. On an average day, the ISP scans approximately 11 million attachments. On Wednesday, the staff scanned 40.5 million email attachments and found 23.7 million of those to be infected with viruses. Almost all (23.2 million) of the infected attachments were a result of Sobig-F.

"People are just getting pummeled, either with the virus or with non-delivery notifications," says MJ Shoer, president and chief technology officer of Jenaly Technology Group, Inc., an IT provider and consultant based in Portsmouth, N.H. "We're just getting beaten on. One of our clients is seeing a 90 percent increase in email messages. In the case of my mailbox, it's close to 70 percent. And I have a firewall, a spam and content filter, and anti-virus."

And Shoer reports the virus attack is bringing regular work to a standstill. "It's rendered IT staffs useless. They're just flooded. If there was going to be a rollout or something, it's just not getting done. We're putting off everything that was a high priority."

Shoer also noted that he talked to an IBM engineer on Wednesday who wasn't able to offer him customer service because his own email was down. Security analysts verified IBM's troubles, but the company could not be reached for comment, and its Web site was unresponsive Wednesday afternoon.

"A lot of corporations and universities had to literally shut down their email networks because of the huge volume of traffic of inbound Sobig emails and bounced email messages," reports Central Command's Steve Sundermeier. "If you're talking about a large corporation – a Fortune 100 or a Fortune 200 – and you take down an email system for an hour, it could cost that corporation a million dollars."

But three different security experts say the Sobig-F assault seems to have peaked yesterday afternoon, when the malicious email was accounting for at least 70 percent of all email flowing around the world. Today, while the number is still high, most estimates have it dropping down into the 60 percent to 70 percent range.

Sophos Inc.'s Belthoff says the virus, which is a mass-mailing worm that also can spread via network shares, hit the Net so hard so quickly because of the spam-like spreading technique that the author used.

"They carpet bombed the Internet and played the numbers game," says Belthoff. "There were just millions of copies out there hitting the Internet all at the same time. It's a matter of sending out enough copies so that somebody will click on it. When you send out that many, even a small percentage of a response, is going to make for a successful virus."

Other security analysts say the virus is also hitting the Internet so hard because it is building on the impact of its Sobig predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and then downloaded Trojans to set the machines up to be hidden proxy servers. "The author has a huge army now for the next seeding," he says. "Every Sobig variant becomes bigger and bigger, and we believe it's because of this army he's building of infected machines."

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that the next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious success of Sobig-F, then the damage could be even worse.

AOL's Graham says they are already planning defenses for the next Sobig attack. "We're already gearing up for the next variant, Sobig-G, if you will," he says.

Back to CrossNodes