Sobig is the latest in a string of viruses that could have been prevented. Three viruses, Blaster, Nachi and Sobig, have left a trail of destruction around the world within the space of less than two weeks. The arrival of three damaging computer viruses in quick succession is unprecedented in the history of computer viruses....
The outbreaks have had a tremendous impact on businesses and even those companies with adequate anti-virus defences say their networks have slowed down dramatically because of the sheer volume of e-mail traffic generated by Sobig. "Without doubt this has been the worst week in the history of the virus. Viruses have spread so fast and so far in the last seven days that companies must be feeling very bruised," said Graham Cluley, chief technologist at Sophos. High-profile victims over the past few weeks include Air Canada, which was forced to shut down its electronic ticketing systems, and the rail transport systems on the East Coast of the US, where there were reports of commuter trains between Washington and New York being delayed and cancelled. "In the UK we have received lots of calls from businesses, not just those that did not have protection in place, but from companies whose e-mail systems were slowed down by the high volumes of e-mails generated by Sobig," said Cluley. The onslaught began in the third week of August when the Blaster worm, began targeting unpatched versions of Windows 2000, Windows XP and Windows 2003. The Nachi worm, also known as MSBlast.D, arrived on the scene a little over a week later. Supposedly designed as a so-called good samaritan worm, it ended up causing more harm than good. The Nachi outbreak created a stampede from small businesses and home users seeking advice on repairing their systems. PC World reported a 163% rise in the number of calls to its PC service support lines. Some shops were repairing up to 200 PCs a day in an effort to clear the backlog of infected machines. Stocks of CD-Roms containing Microsoft patches ran out very quickly. Sobig struck just as IT departments were getting to grips with Blaster and Nachi. Although the virus first appeared on 18 August, anti-virus companies did not have updated signatures available until 10.30am the next day. By then Sobig had already gained critical mass and was spreading rapidly. The virus is the sixth version of the Sobig mass e-mailing virus to hit the internet. Many experts believe that the author is deliberately tinkering with the code in order to maximise its destructive effects. "This guy has been doing it for a while now. He makes small changes each time. This time he has hit the jackpot," said Alex Shipp, senior anti-virus technologist at Messagelabs. Sobig is a particularly nasty virus. Once a machine is infected, the virus is programmed to download trojans from a series of web sites. Some of these turn the infected machine into a spam engine - sending out spam e-mail advertising everything from Viagra to pornographic websites. There have been reports that other trojans downloaded by Sobig are capable of copying files or stealing confidential passwords. By the August bank holiday weekend the Sobig virus appeared to be under control, with computer experts claiming that they had blocked servers used by the worm to spread infected e-mails. The author of the virus is believed to have used computer systems infected by previous versions of Sobig as a platform for e-mailing out thousands of copies of the new virus before anti-virus companies had time to put new signatures in place. Although the virus can easily be detected by anti-virus systems, the enormous volumes of infected e-mails travelling the web led to significant slowdowns in e-mail traffic within company networks across some internet service providers. Like most recent virus attacks, Blaster, Nachi and Sobig could easily have been prevented. The Microsoft patches that could have prevented Blaster and Nachi, for example, were available four weeks before Blaster struck. Many companies simply did not get around to installing them. "Four weeks is not very much but it is better than 30 seconds notice. Companies should have people in place whose sole job is to make sure systems are patched, so they can focus on patching without any other distractions," said Cluley. Similarly, businesses could have taken some simple precautions to protect themselves against Sobig, for example, by blocking incoming e-mails containing executable programs, pif files or screensavers. And most importantly, businesses need to educate their employees on e-mail good practice. Ian Rickwood, chief executive of the Institute for the Management of Information Systems, suggests that IT professionals could benefit from going back to the old mainframe days, when downloading programs, as opposed to data, was considered a sackable offence. "It might sound a bit tongue in cheek but it underlines the seriousness of it. If we have got the problems that we appear to have got, then something has to be done." The outbreaks highlight the need to take urgent steps to design software and operating systems that can be less easily exploited by cybercriminals, the institute believes. "If what might be viewed as cybervandalism can have this scale of impact, the issues of designing out opportunities for e-crime acquire an urgency that has been missing to date. We have to address what can be done within current technologies without waiting for what might be around the corner," said Philip Virgo, strategic adviser to IMIS. Although the coincidence of three viruses striking at once is unprecedented, some observers believe that it could set a trend for the future, as more virus writers realise they can maximise their impact by riding on the coat-tails of other outbreaks. Sobig will self-destruct by 10 September. But anti-virus firms are warning businesses to brace themselves for another version of Sobig by 11 September. If the current trend of copycat virus outbreaks continue, ignoring patches and end-user training will no longer be an option.
Newsgroup home of the Sobig worm
The Sobig virus may have started out in the guise of a pornographic picture on some newsgroup sites.
Easynews, a US-based newsgroup provider, said it had been served a subpoena by the US Federal Bureau of Investigation relating to an account on its service that had been used to post the virus to Usenet.
Details of one posting made using the account show a posting on Monday 18 August at 19.46 GMT to six newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica and alt.binaries.pictures.erotica.amateur.female.
The posting had the title "Nice, who has more of it? DSC-00465. jpeg" and contained a photo which, when clicked on, infected the browser's computer with the virus.
Easynews said the account appears to have been created with a stolen credit card for the sole purpose of uploading the virus to Usenet and was created minutes before the posting was made.