COMPUTER RESEARCH & TECHNOLOGY
 

ETopics Sobig is “saturation bombing” the Internet

As users of an “Adult” Newsgroup clicked on the pornographic image, little did they realise the havoc and mayhem they were about to cause. These Internet users were triggering the biggest virus attack in the history of the Internet.

Sobig-F has been causing chaos on networks in the past week or so. It is now known to be the fastest spreading virus in the Internet’s history. It is judged to be the fastest spreading worm ever, even surpassing Klez and LoveBug. This is really just a complete swamping, or inundation, of the Internet.

The virus first appeared last week as the latest member of the malicious Sobig virus family hammering companies and individuals alike. It has hit the Internet hard, flooding email servers and inboxes. Networks have staggered under the barrage with network access slowing to a crawl, and some email systems being temporarily taken offline in an attempt to stop the siege.

Do we know where the virus originated?

FBI investigators in America have now tracked down the source of the virus, known as SoBig-F, to a porn website in Phoenix, America. It was loaded on the Internet in the disguise of a photograph posted in an adult 'newsgroup'. Newsgroups are forums where users post messages and pictures. When people clicked on the picture to download it to their own computers they unwittingly became infected and spread the virus, which then emailed copies of itself from their accounts.

Do we know who did it then?

Some person uploaded the virus to the Internet using an account at easynews.com, an Arizona-based Internet company. The account was set up just seven minutes before the virus first appeared. However, the virus writer has hidden his tracks well. The account was set up not only using a stolen credit card but via a computer, belonging to an unwitting resident of British Columbia, that had been hacked into by the virus writer beforehand.

Why would anyone want to do this?

The use of stolen property to set up the Internet account in the first place is leading to the speculation that the virus writer is working with 'spammers', who send out mass junk emails.

The virus, which is a mass-mailing worm that can also spread via network shares, hit the Net so hard so quickly because of the spam-like spreading technique that the author used.

What kinds of impact has the virus had?

Companies are having their email systems taken out because of the sheer volume of emails being received. Firstly it's a slow down, then a slow to a crawl and then just being taken offline.

Email traffic nearly quadrupled at one stage. On an average day, one major ISP scans approximately 11 million attachments. Last Wednesday, the staff scanned 40.5 million email attachments only to find 23.2 million were infected with Sobig-F.

People are not only getting hammered by the virus but also by the notifications. If you're talking about a large company and you take down an email system for an hour, it could cost that organisation a million dollars.

How did it infect so many Internet users so quickly?

It is possible the virus is hitting the Internet so hard because it is building on the impact of its Sobig predecessors. Earlier versions of Sobig may have infected computers and then downloaded Trojans (hidden or disguised programs sitting in wait) to set the machines up to be hidden agents to do their dirty work. If so, the virus author has a huge army at his or her command now, just waiting for the next seeding. Every Sobig variant becomes bigger and bigger, and it is believed it's because of this army of infected machines being built.

Can we recognise the virus when it arrives?

When the worm arrives via email, it poses as a .pif or .scr file. The sender's address is spoofed. The subject lines used are taken from a list, including 'Re: That movie', 'Re: Wicked screensaver', 'Re: Approved' and 'Your details'.

What can we do if we do see the virus e-mail coming onto our system?

Best advice we can give is to appeal to the public to delete any emails they receive from the virus. The virus is easily recognised because the header field of any infected message always begins with 'Re:' followed by a phrase such as 'that movie' or 'your application''

Of course, as always, ensure you have a good virus scanner and the latest download installed and working on your computer.


Arthur Hissey
Computer Research & Technology
www.crt.net.au


ETOPICS
what are they?

Keep up to date with the latest in the IT/Communications industry by listening to ABC Local Radio on FM107.1, every Tuesday morning at 9.15AM.

Computer Research & Technology Managing Director Arthur Hissey and Morning Host Janice McGilchrist will be discussing current matters of interest and future directions in the IT industry.

Transcripts of these discussions and other topics are available, just click on the links.


ETopic Archives
browse the archived ETopics
Check out the ETopic Archives
Full Archive List
Browse Alphabetically
A - E
F - J
K - O
P - U
V - Z
Last 5 ETopics
A Map? On Flickr? Is that a question?
Net ID scheme offers passport to online safety, especially for children online
What is ViewDo? ViewDo Helps People Help Themselves
Australian Dictionary of Biography Online
Google Earth Revisited