Sobig: spam, virus or both?

An analysis of e-mail messages containing the new worm variant by Russian antivirus company Kaspersky Labs revealed what appears to be a distribution pattern more akin to spam e-mail than a fast-spreading virus.

Like the original Sobig virus, Sobig.C is a mass-mailing worm that spreads copies of itself through e-mail messages with attached files which contain the virus code.

The new variant was first detected late last Friday and spread quickly across multiple countries in the hours after it first appeared, according to a statement by Helsinki security company F-Secure Corp.

"It looks like the virus writer enhanced the virus's replication with spam technology to achieve greater spreading speed and global distribution," said Denis Zenkin, head of Kaspersky.

E-mail that is generated by a worm can typically be traced back to another infected machine, Zenkin said. 

With the recent Sobig.C virus, however, Kaspersky researchers found that the machines responsible for distributing the virus were not infected with Sobig, leading Kaspersky researchers to theorise that they were "open proxy" machines used by spammers to conduct massive e-mail distributions, Zenkin said.

Open proxies are loosely managed machines connected to the internet and open to trespass by outsiders. They are often home computers connected to the internet using always-on DSL (Digital Subscriber Line) or cable modem connections, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs.

Without the initial spamming of Sobig.C e-mail, it is doubtful the virus would have spread as quickly, Zenkin said.

The virus has features that can grab e-mail addresses from files stored on infected machines. Lists of destination addresses for use by spammers are easily available online and could be used to "seed" the new virus to millions of machines at once.

Sunner added that there is a "high likelihood" that Sobig.C used a spam engine to spread. The initial appearance of Sobig was unusual for viruses, spiking over the weekend and then quickly dying off.

"It's certainly plausible that the virus writers may have kick-started replication with spamming techniques," said Chris Belthoff, senior security analyst at security firm Sophos.

However, spam is not the only way the virus spreads.  "We're absolutely certain that the virus does replicate. We have reported cases of the virus replicating," Belthoff said.

Sophos did not analyse the source of the Sobig.C e-mail samples it received, but it is not uncommon for virus writers to launch their creations with massive e-mail distributions, Belthoff said.

The virus writer may have contracted with a spammer to distribute the e-mail or taken advantage of an open proxy that had been left vulnerable by another virus, Zenkin said, adding that a more likely scenario is that the virus writer is also an active spammer.

While its initial distribution was unusually large, the Sobig.C virus outbreak is just the latest example of the convergence of spam and viruses, with spammers using open proxies as mini e-mail servers, according to Sunner. 

"Sixty per cent of the spam e-mail we get is coming from open proxies. Spammers are using always-on connections to give them an almost infinite number of IP addresses to send their mail from," Sunner said. 

This raises the question of whether Sobig.C is better described as spam or as a virus.

Zenkin said he preferred to talk about Sobig.C as a virus with two separate spreading techniques: One based in the virus's worm code and the other being spam distribution technology used by the author to seed the new virus.

Security experts did agree that computer users should be ready for a new version of the Sobig virus this weekend.

The Sobig.C variant is programmed to expire on 8 June and Sobig.C was released on the same day that its predecessor, Sobig.B, was programmed to stop spreading.

The serial releases may be an effort by the Sobig author to fool antivirus software by subtly altering the makeup of the virus. Alternatively, the author could be releasing "proof of concept" viruses, testing the success of different viruses depending on when and how they are distributed, according to Sunner and Belthoff.

Paul Roberts writes for IDG News Service