Sobig 'Carpet Bombs' the Internet

The latest variant of the Sobig worm is hammering corporate networks, crashing email servers, and staggering Internet traffic. Yesterday alone it accounted for 70 percent of all email traffic.

 By Sharon Gaudin
Page 1 of 2
Print Article

The latest variant of the Sobig worm is hammering corporate networks, crashing email servers, and staggering Internet traffic. Yesterday alone it accounted for 70 percent of all email traffic, according to security analysts.

The analysts also say Sobig-F, which was first detected Monday afternoon, is topping off what is being called the worst worm week in history.

"This is unbelievable," says Steve Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio. "We have never seen this sort of activity before...Sobig-F is causing substantial impact on business right now. Almost three out of every four messages will be Sobig or a failed delivery message generated by Sobig."

And Sundermeier says that's not even the worst of it. "Usually with mass-mailing viruses, you have a peak day early on. We're not seeing any significant degradation right now. We haven't even hit the peak yet. That's the really bad news."

Sobig-F is a mass-mailing worm that can also spread via network shares. According to F-Secure, the latest variant of Sobig comes with a large attachment (around 70KB) and has its own SMTP engine, as well as routines to directly query DNS servers and make requests using the Network Time Protocol.

When it arrives via email, the worm poses as a .pif or .scr file. The sender's address is spoofed. The subject lines used are taken from a list, including 'Re: That movie,' 'Re: Wicked screensaver,' 'Re: Your application,' 'Re: Approved,' and 'Your details.' The worm also has updating capabilities and will attempt to download updated versions when certain conditions are met.

Building an Army...for Future Attacks?

Security experts say Sobig-F, which is just the latest in the malicious family of Sobig worms, is hitting the Internet so hard because it is building on the impact of its Sobig predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and then downloaded Trojans to set the machines up to be hidden proxy servers. "The author has a huge army now for the next seeding," he says. "Every Sobig variant becomes bigger and bigger, and we believe it's because of this army he's building of infected machines."

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that the next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious success of Sobig-F, the damage could be even worse.

"Sobig-F has quickly become the most widespread virus in the history of email worms, and it's spreading very rapidly," says Ken Dunham, malicious code intelligence manager with Reston, Va.-based iDefense, Inc. "Corporate networks are just being blasted with a ton of emails, forcing them to be very aggressive with gateway and content-based filters. As servers are busy processing all the extra email, it affects their ability to get legitimate email to people."

Dunham notes that there have been more than 1 million interceptions of the worm in the last 24 hours. The average significant worm will get 10,000 to 50,000 interceptions in a day.

"I've never seen anything like this," says Dunham.

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in Lynfield, Mass., says Sobig-F is just capping off an extremely bad string of viruses.

The Blaster worm, which exploited what could be the most widespread Windows vulnerability, first hit on Monday, Aug. 11. Blaster had IT managers hopping to patch up holes when several variants of it hit over the next few days. Then Graybird-A, a backdoor Trojan, appeared disguised as a patch for the Windows vulnerability that Blaster had been exploiting. After that, Nachi-A and Dumaru-A both hit.

"This has just been the worst worm week ever," says Belthoff. "Worms this past week have caused incredible slowdowns, if not complete disruption of networks...All you need is a few infections to shut down an entire mail system."

Sobig.F Targets Jupitermedia

The Sobig-F worm has been particularly painful for Jupitermedia Corp. (the parent of this Web site). The worm has falsely implicated the company by forging e-mail headers listing admin@internet.com as the sender. Jupitermedia is working with law enforcement authorities in an attempt to stop the worm. (For more details, see this related story.)

Jupitermedia CTO Mark Berns reports the company has already handled more than 3 million bounced e-mails over the past two days. On a normal day, bounced emails total about 120,000, but Berns says returned mail to the spoofed admin@internet.com address has been a nightmare to deal with.

"[Yesterday alone] we received about one and a half million bounced mails. The anti-virus definitions have been updated to block mails from that address, which is theoretically what they're supposed to do. So, we are being bombarded with the bounces. It is saturating our network and hogging bandwidth.

"It has been all hands on deck here. My team has been working around the clock just to keep our e-mail flowing. This week has been a challenge like none we've seen. It's the worst we've dealt with all the worms," he says, referring to the Blaster and Welchia viruses that slowed enterprise networks to a crawl most of last week.

And, with fears that several new Sobig variants will appear in the future, Berns is resigned to dealing with more headaches in the coming weeks. "Who knows what Sobig.G or Sobig.H will do?"

Page 2: Sobig 'Carpet Bombs' the Internet

This article was originally published on Aug 21, 2003
Get the Latest Scoop with Networking Update Newsletter