Sober worm strikes as FBI, CIA email
Date: November 23, 2005Source: Red Herring
The Sober email worm that first struck in 2003 has made another comeback through a variant disguised as an email from the U.S. Federal Bureau of Investigation or the Central Intelligence Agency, becoming one of the fastest-spreading security threats in the last 24 hours, security software companies said Tuesday.
The worm is not considered highly dangerous as it does not seek to steal personal or financial information, but it can make infected computers susceptible to future viruses, which could potentially be more worrisome.
The first incidence of the latest Sober variant was detected Monday, said Patrick Hinojosa, chief technical officer of Panda Software, a Spanish security software company.
“Just a few hours after emerging, Sober.AH is already one of the viruses most frequently detected by our online antivirus solution,” he said. “For something that is not an Internet worm but one that infects through email, the spread rate on it is very steep.”
In the last four hours, the worm has accounted for more than 61 percent of all virus and worm threats reported to Sophos, a United Kingdom-based threat management software maker. Sophos said the latest variant of Sober makes it the most prevalent virus spreading across the world.
MessageLabs, another provider of managed email security services to businesses worldwide, has intercepted more than 2.7 million copies of the new Sober mutant since Monday.
The latest Sober variant reaches computers as an attachment to an email message purporting to be a warning from the FBI and advising users they have accessed illegal Internet addresses. The email appears to be sent from the email addresses of [email protected], [email protected], and [email protected].
“This variant of the Sober worm may catch the unwary as they open their email inbox this morning,” said Graham Cluley, senior technology consultant at Sophos. “Every law-abiding citizen wants to help the police with their enquiries, and some will panic that they might be being falsely accused of visiting illegal web sites and want to click on the unsolicited email attachment.”
The worm can send itself in email messages in either English or German depending on the intended recipient’s address. If a user runs the file containing the worm, a window is displayed with a false error message. While this is happening, the worm sends itself to all email addresses it can find on the infected computer.
Terminates Processes
In addition, the worm terminates processes running on the system belonging to certain applications, including some security solutions. Every time it does this, it displays a dialogue box saying that no viruses, Trojans, or spyware were found. The aim is to leave the computer unprotected against future attacks, said Panda Software.
This damage is significantly lower than what could have been possible, said security experts. The Sober variant does not create backdoor entries into an infected computer or steal financial or personal information. Nor does it turn the computer into a zombie that can be used to relay spam.
“It is an email worm without any major payload as far as directly damaging the computer,” said Panda Software’s Mr. Hinojosa. “It creates an infection but the only real damage it does at this point is clogging the communication lines.”
This is in contrast to the trend of “business worms” that security companies have been noticing this year. The Internet worm Zotob, which attacked major corporations in August by exploiting a vulnerability in Microsoft’s Windows operating system, was an example of a new type of malicious software that targets enterprises rather than home users (see Zotob Heralds Business Worm).
“It would have been easy to create a payload on this Sober variant,” said Mr. Hinojosa. “But probably someone wanted to see how fast it could spread and was looking for notoriety rather than any financial gain,” said Mr. Hinojosa.
Orange Alert
Meanwhile, the FBI issued a warning on Tuesday about the worm telling users it does not come from the FBI.
“Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited emails to the public in this manner,” the agency said in a statement.
The FBI has said that it is investigating the worm and has asked users receiving these emails to report it to the Internet Crime Complaint Center.
Panda Software has issued an orange alert against the worm, the highest being the red alert.
The Sober worm first surfaced in 2003 and since then has undergone more than 30 variations to become one of the most frequently detected security threats.
Add comment Email to a Friend