Sober.X Worm Makes Return Virus Slows E-Mail Systems Across Nation
By Brian Krebs Special to the Washington Post Thursday, December 8, 2005; D01 The Sober.X computer worm that began flooding=20 inboxes last month masquerading as a threatening=20 e-mail from federal investigators made a=20 resurgence this week, with security experts now=20 calling it the most prolific e-mail worm ever unleashed. The junk traffic generated by Sober has bogged=20 down e-mail systems at some of the nation's=20 largest Internet service providers. For several=20 days last week, subscribers of Microsoft Corp.'s=20 Hotmail and MSN e-mail services experienced long=20 delays in receiving new messages as the company=20 struggled to filter out Sober-generated traffic. San Carlos, Calif.-based e-mail security company=20 Postini Inc. said it has quarantined more than=20 441 million Sober-infected messages since Nov.=20 22, twice as many messages as the largest=20 previous attack on record, which was the Mydoom=20 worm in January 2004. At the time, Postini=20 intercepted roughly 8 million Mydoom-infected e-mails per day. The Sober worm's spread peaked around=20 Thanksgiving, then tapered off over the weekend,=20 according to Andrew Lochart, Postini's senior=20 director of marketing. Early this week, however,=20 it staged a comeback. The company blocked more=20 than 35 million Sober-generated messages on Tuesday alone. "That's an exceptional number for a virus in a=20 24-hour period," Lochart said. "Things quieted=20 down a little bit after a tremendous outbreak=20 last week, but now this thing has gone back to pegging the needle." The worm most often comes attached to an e-mail=20 supposedly sent by the FBI or CIA, claiming that=20 the government has discovered you visiting=20 "illegal" Web sites and asking you to open an=20 attachment to answer some official questions.=20 Microsoft Windows users who click on the attached=20 file infect their computers with the worm, which=20 then e-mails copies of itself to every address found on the victim's= machine. Sober lowers security settings on infected=20 machines, but unlike most e-mail-borne viruses=20 and worms, it does not carry an overtly malicious=20 payload. Rather, research unveiled Wednesday=20 suggests the worm may be laying the groundwork=20 for a new attack early next year. Researchers at iDefense Inc., a Reston division=20 of Mountain View, Calif.-based VeriSign Inc.,=20 unscrambled portions of the worm's code and found=20 that infected PCs are programmed to download=20 updates from a series of Web sites on Jan. 5.=20 Whether those updates will include a new version=20 of the worm or instructions for carrying out some=20 other type of online activity is not clear to researchers. Earlier this year, a Sober variant forced=20 infected computers to spew out spam e-mails=20 calling for the re-establishment of the Nazi=20 Party in Germany. Jan. 5 coincides with the 87th=20 anniversary of the founding of the Nazis in Munich. Allysa Myers, a member of the virus response team=20 with software maker McAfee Inc., said the worm=20 will most likely fizzle out before that date=20 arrives, as authorities have identified the update sites. "There is some indication that the worm is going=20 to try and upload new code to start a new phase=20 in January, but at that point it is likely those=20 sites will have been shut down," Myers said. =A9 2005 The Washington Post Company
