SoBig.F Worm Reported Spreading

As predicted last week in TechNewsWorld's "Profile of a SuperWorm," the latest variant in the SoBig worm family has been unleashed, with Internet security firms reporting that several copies have been found in the wild.

Like the previous five versions of the worm, SoBig.F can be spread via either e-mail or network shares. It takes control of an infected PC and creates e-mail messages spoofing the PC's address, which then are sent to accounts listed in the PC's address book.

The worm also grants back-door access to the infected computer, enabling an attacker to hijack the machine to steal confidential data, implement spam relay servers or perhaps even distribute updates to the worm itself. Virus writers often use such methods to forward their code to as many inboxes as possible, making it a "successful" virus.

Latest Spamming Techniques

Strong evidence exists that SoBig's creator has used spamming techniques to create the variants of this worm, Sophos senior security analyst Chris Belthoff told the E-Commerce Times.

For his part, Vincent Weafer, senior director of Symantec's (Nasdaq: SYMC) Security Response team, agreed that spamming techniques have provided SoBig.F with the ability to propagate e-mail messages around the world. This interconnectivity between worms like SoBig.F and spammers creates a double-barreled impact for end users, who already are coping with spam's exponential growth, he told the E-Commerce Times.

However, Belthoff said that unlike most spammers, who are trying to make money, SoBig.F's creator and the creators of other viruses have different motivations.

"They are trying to slow down networks, clog system pipelines and put IT departments in hell," he said.

Social Engineering a Factor

With subject lines like "Re: That Movie" or "Re: Wicked Screensaver," SoBig.F entices recipients of spoofed e-mails to click on attached, zipped .pif files. The fact that users must click on these files to activate the worm theoretically should be a deterrent to its spread. Unfortunately, SoBig.F is spreading, indicating that users are not as security-aware as they need to be, Belthoff said.

"There's an element of psychology involved to entice you to keep clicking. I may know not to click on the 'wicked screensaver,' but my kids might, especially when it seems to come from someone" they know, he noted.

He added that on the corporate side, IT departments need to improve security education for all users, including many who telecommute and inadvertently cause worms to spread.

"IT departments like to say end users are part of the problem, but they're also part of the solution," Belthoff said.

SoBig a Containment

Weafer recommended that home and small business users download the latest security patch from Microsoft's (Nasdaq: MSFT) Web site, update their antivirus programs and obtain a personal firewall. In addition, users should do a security audit of their PCs to check for vulnerabilities.

On the enterprise side, Weafer said, IT administrators should determine the source of infection and contain it before attempting to eradicate it. Then they should consider erecting firewalls between branches and organizations to help isolate future outbreaks, and should watch for security patches and vulnerabilities germane to their systems.

However, Aberdeen Group vice president Jim Hurley told the E-Commerce Times that the expense and time required to patch systems is directly related to an organization's size and the size of its IT infrastructure. Therefore, IT administrators typically avoid patches unless they see a good reason to apply them.

Not So Super

Like its predecessors, SoBig.F is unique because it has a short life cycle -- generally two to three weeks. Weafer said there may be several reasons why SoBig.F's author has implemented an expiration date. For example, he or she may be testing different variants to see which one works best, may be concerned that an earlier variant could interfere with a newer one, or may want to avoid getting caught.

SoBig.F's expiration date is September 10, 2003. When asked if he thinks the worm's author may be preparing a "super" SoBig for September 11th, Belthoff said that while an extremely destructive version could be in the works, all SoBig variants are completely preventable. The key is keeping virus protection up to date and not clicking on attached files, even if they appear to have come from a trusted source, unless such files are expected.