In-Depth

Sobig Lives Up to Its Name

It's been a banner month for viruses, as new vulnerabilities were unleashed and others lingered

• By Mathew Schwartz
• 08/27/2003

Though Blaster failed to materialize as a major threat for enterprises, say experts, along came Sobig. Users were deluged with not only e-mails generated by the worms (with the worm included as an attachment), but also e-mails with the subject line “Delivery Status Notification (failure),” bounce-backs from Sobig’s ability to spoof e-mail address “from” headers as it sent itself to others.

Symantec reported that it’s seeing less of Sobig.F than before, at approximately 1,800 “suspicious file” submissions per day. “While Blaster and Welchia primarily impacted large enterprises, Sobig.F is predominately affecting consumers and small businesses,” says Vincent Weafer, a senior director with Symantec Security Response. He advises security administrators to remind end users about “computer security best practices,” and especially “not [to] open attachments unless they are expecting them.”

No matter Sobig’s high profile; Symantec says there have been worse incidents. Klez.H, for example, hit 4,516 submissions per day, peaking two weeks after it was discovered. BugBear.B hit 4,812 submissions per day but peaked after only two days.

Anti-virus provider Central Command, however, cautions that Sobig.F might be gathering a “Trojan cyber army.” In other words, all of those compromised computers might be used for something beyond the worm copying and e-mailing itself far and wide. In particular, once it infects a computer, Sobig.F can download additional software on Fridays and Sundays, between 3AM and 6AM (Eastern U.S. time). That software could include backdoor or remote-control software for fully compromising a computer.

Expect New Variants

Based on previous releases of Sobig, which have the curious habit of deactivating after a preset time—possibly a way for the author to fine-tune the worm and then not have it compete with older versions—expect new variants soon. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all-out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS),” says Steven Sundermeier, vice president of products and services at Central Command Inc.

Internet Security Systems also put out the call for network administrators to help block Sobig.F by blocking the extensive list of servers the worm might try to access and download software. (For the list, see http://xforce.iss.net/xforce/alerts/id/151.)

Finally, the Welchia worm also continues to spread. The worm exploits both the Microsoft DCOM/RPC vulnerability (discussed last week) as well as the WebDAV vulnerability. It searches for computers that need the DCOM/RPC patch, then downloads it from the Microsoft site, installs it, and reboots the computer. Ironically, though it fixes the system, it then propagates. Due to its aggressive look for other infected machines, network performance often suffers.

Symantec reports that at least several large enterprise networks have been disrupted—flooded by the sheer traffic generated by SoBig and Welchia. In a statement, Symantec says that “deployment of the security patch in large, geographically dispersed environments is expected to take weeks to months.” Symantec also recommends multiple layers of security as a way of better safeguarding against worms such as Blaster and Welchia, since not only the worm, but its byproduct, can seriously endanger enterprise networks and worker productivity.