Surviving the virus storm

Blaster, Nachi and Sobig.F have left a trial of destruction around the world within the space of less than two weeks.

The outbreaks have had a tremendous impact on businesses and even those companies with adequate antivirus defences say their networks have slowed down dramatically because of the sheer volume of e-mail traffic generated by Sobig.

“Without doubt this has been the worst week in the history of the virus. Viruses have spread so fast and so far in the past seven days that companies must be feeling very bruised,” said Graham Cluely, chief technologist at Sophos.

High-profile victims over the past weeks included Air Canada, which was forced to shut down its electronic ticketing systems, and the rail transport systems on the East Coast of the US, where there were reports of commuter trains between Washington and New York being delayed and cancelled.

“In the UK we have received calls from businesses, not just those that did not have protection in place, but from companies whose e-mail systems were slowed down by the high volumes of e-mails generated by Sobig,” said Cluely.

The onslaught begin in the third week of August, when the Blaster worm began targeting unpatched versions of Windows 2000, Windows XP and Windows 2003.

The Nachi worm, also know as MSBlast.D, arrived on the scene little over a week later. Supposedly designed as a so-called good samaritan worm, it ended up causing more harm than good.

The Nachi outbreak caused a stampede from small businesses and home users seeking advice on repairing their systems.

PC World reported a 163% rise in the number of calls to its PC service support lines. Some stores were repairing up to 200 PCs a day in an effort to clear the backlog of infected machines. Stocks of CD Roms containing Microsoft patches ran out very quickly.

Sobig struck just as IT departments were getting to grips with Blaster and Nachi. Although the virus first appeared on Monday 18 August, antivirus companies did not have updated signatures available until 10:30am the next day. By then, SoBig had already gained critical mass and was spreading rapidly.

Sobig.F is the sixth version of the Sobig mass e-mailing virus to hit the internet. Many experts believe that the author is deliberately tinkering with the code to maximise its destructive effects.

“This guy has been doing it a while now. He makes small changes each time. This time he has hit the jackpot,” said Alex Shipp, senior anti-virus technologist at Messagelabs.

Sobig is a particularly nasty virus. Once a machine is infected, the virus downloads trojans from a series of websites on the internet. Some of these turn the infected machine into a spam engine - sending out spam e-mail advertising everything from Viagra to pornographic websites. There have been reports that other trojans downloaded by Sobig are capable of copying files or stealing confidential passwords.

By the August bank holiday weekend the Sobig virus appeared to be under control, with computer experts claiming that they had blocked servers used by the worm to spread infected e-mails.

The author of the virus is believed to have used computer systems infected by previous versions of Sobig as a platform for e-mailing thousands of copies of the latest variant before antivirus companies had time to put new signatures in place.

Although the virus can easily be detected by antivirus systems, the enormous volumes of infected e-mails travelling the web led to significant slowdowns in e-mail traffic within company networks and across some internet service providers.

What is to be done?

Like most recent virus attacks, Blaster, Nachi and Sobig could easily have been prevented. The Microsoft patches that could have prevented Blaster and Nachi were available four weeks before Blaster struck. Many companies did not get around to installing them.

“Four weeks is not very much but it's better than 30 seconds' notice. Companies should have people in place whose sole job is to make sure systems are patched, so they can focus on patching without any other distractions” said Cluely.

Similarly, businesses could have taken some simple precautions to protect themselves against Sobig, for example, by blocking incoming e-mails containing executable programmes, pif files or screensavers. And, most importantly, businesses need to educate their employees on e-mail good practice.

Ian Rickwood, chief executive of the Institute for the Management of Information Systems, suggests that IT professionals could benefit from going back to the old mainframe days, when downloading programmes, as opposed to data, was considered a sackable offence.

“It might sound a bit tongue in cheek but it underlines the seriousness of it. If we have got the problems that we appear to have got, then something has to be done.”

The outbreaks highlight the need to take urgent steps to design software and operating systems that are harder for cyber criminals to exploit, IMIS believes.

“If what might be viewed as cyber vandalism can have this scale of impact, the issues of designing out opportunities for e-crime acquire an urgency that has been missing to date. We have to address what can be done within current technologies without waiting for what might be around the corner,” added Philip Virgo, strategic advisor to IMIS.

Although the coincidence of three viruses striking at once is unprecedented, some observers believe that it could set a trend as more virus writers realise they can maximise their impact by riding on the coat-tails of other outbreaks.

The Sobig Virus will self-destruct by 10 September. But already antivirus firms are warning businesses to brace themselves for another version of Sobig by 11 September. If the trend of copycat virus outbreaks continues, ignoring patches and token end-user training will no longer be an option.

Trail of destruction

The Sobig worm may have started out in the guise of a pornographic picture on some newsgroup sites.

Easynews, a US-based newsgroup provider, said it had been served a subpoena by the FBI relating to an account on its service that had been used to post the worm to Usenet.

Details of one posting made using the account show a posting on Monday 18 August at 19:46 GMT to six newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica and alt.binaries.pictures.erotica.amateur.female.

The posting had the title “Nice, who has more of it? DSC-00465.jpeg” and contained a photo which, when clicked on, infected the browser’s computer with the worm.

Easynews said the account in question appears to have been created with a stolen credit card for the sole purpose of uploading the virus to Usenet and was created minutes before the posting was made.

What's your view?

How badly did last week's virus attacks affect you? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.