By Susan B. Shor TechNewsWorld Part of the ECT News Network
11/16/05 10:40 AM PT
"Folks are used to receiving e-mails from friends and relatives containing executable content, flash, slide shows, etc.," said Ed Moyle, manager of CTG Security Services. "If they receive an e-mail from a friend with the subject 'Great Holiday Snowball Game' that has an executable attachment, they are fairly likely to run it. Malware authors capitalize on this fact."
Increase Customer Sales with VerticalResponse Email Marketing! Quickly and easily send email newsletters, coupons & sales announcements to your customers – no technical expertise needed. Sign up for your Free Trial today and send 100 emails on us!
With the holiday season and its flurry of shopping, greetings and other online activities, also comes a bump in malware production. Proof of that came early this year with the proliferation of several versions of the Sober worm.
"Unfortunately for us, the holidays have historically brought with them an increase in malware activity," Ed Moyle, manager of CTG Security Services, told TechNewsWorld. "There's a good reason for that. It's easier for malware authors to hide their activities during the holiday season."
Moyle explained, "Folks are used to receiving e-mails from friends and relatives containing executable content, flash, slide shows, etc. If they receive an e-mail from a friend with the subject 'Great Holiday Snowball Game' that has an executable attachment, they are fairly likely to run it. Malware authors capitalize on this fact and camouflage their messages with seasonal messages."
Letting Their Guard Down
The dangers of such tactics may be compounded by a lack of vigilance by cheerful computer users, since normal precautions such as deleting unknown executables will avoid the problem completely.
"It's understandable that some folks drop their guard around the holidays. If everyone else in the office is playing the 'super fun reindeer snowball game,' not opening it because it could be unsafe can be less than fun," Moyle said.
So far, there have been reports of four variants of the mass-mailer: Sober.S, Sober.T, Sober.V and Sober.W. They operate in much the same manner as previous incarnations, an e-mail attachment in English or German that, if opened, will search for e-mail addresses stored on the computer and mail itself to those addresses.
Known attachments to look out for are Exceltab-packed_list.exe; Liste.zip; Reg-List-Dat_Packer2.exe; reg_text.zip; Word-Text.zip; Word-Text_packedList.exe; Word-Text_packedList.zip.
Minimal Damage
The worm spreads quickly, Moyle said, but the damage to an infected machine is minimal, although mass mailings can slow down servers and networks. The latest versions use a more clever propagation method.
"Compared with the Sober variants we saw earlier this year (e.g. Sober.N), the new versions have updated an payload -- what it does once it's on a machine -- and a propagation vector -- the technique it uses to spread," he said. "Previous versions opened a document in Notepad when the executable was run. This version displays an error message dialog -- all in all, probably a more effective technique."
Police in Bavaria, Germany, issued a press release Monday, warning of the expected outbreak. Sober's writer is believed to be German, and Bavarian police have been trying to track down its author for a year.
Spyware Senders Taken Down November 11, 2005
"This is, I think, the turning point in the battle against adware," said Richard Stiennon, vice president of threat research with Webroot. "[Spyware/adware senders have] been scrambling all year to change the way their products behave."
Related Stories
Malware for Money: Zafi, Sober, Netsky Still Haunting Net July 01, 2005
Netsky-P, which was the hardest-hitting virus of 2004 and still ranks second on Sophos top 10 list, has enjoyed an extremely long reign near the top of the virus chart so far in 2005. German teenager Sven Jaschan, who admitted writing the Netsky and Sasser worms more than a year ago, will face trial next week.
Mobile Malware Will Come, But When? June 22, 2005
"Most malware authors want their software to run on the largest number of machines possible and they factor platform choice into that equation," Ed Moyle, president, SecurityCurve, told TechNewsWorld. While the threat may not be immediate, users should still guard against suspicious messages and investigate new antivirus options as they are released, the analysts said.
Sober Overtakes Zafi as Viral King June 01, 2005
What worms like Sober do is make computer zombies. Gregg Mastoras, senior security analyst at Sophos, said the Sober-Q Trojan searched for computers infected with the Sober-N worm and attempted to secretly turn them into spamming machines, better known as zombies. A new entry, Mytob-AZ, is also gaining momentum.
Sober Variant Spreads Propaganda Spam May 16, 2005
Unlike most spam, the primary motive behind the Sober worm is pure propaganda. For example, the German language e-mail messages indicate that the recipient has won tickets to the 2006 World Cup, thereby enticing the recipient to open the attachment.
Sober Worm Back with Trickier Message April 20, 2005
The worm is spreading in Europe; by this morning there had been 88,000 reports of infections in England alone. If the attachment is opened, it will scan files on the infected computer looking for e-mail addresses and then report them back to the worm's author.
More by Susan B. Shor
Salesnet President Jonathan Tang Ready to Take On Salesforce.com February 07, 2006
"We think it's Salesnet's time now. We've been around since the beginning, we've been lying low, but you're going to start to see more of us. We've done it through organic growth and happy customers. We continue to focus on customers."
Comcast Follows Time Warner in Offering 'Family' Programming Tier December 23, 2005
"The demand for this type of tier is coming from the FCC and Christian conservatives. It has nothing to do with legitimate consumer demand," Todd Chanko, senior analyst at Jupiter Media, told the E-Commerce Times.
High-Risk Flaw Found in Symantec's Software December 22, 2005
"Part of the significance of this vulnerability announcement is that your machine can be exploited without you needing to do anything at all. You don't even have to open an e-mail or attachment, and this happens with the default configuration of the product," said Forrester Research senior analyst Michael Gavin.
Headline Feeds
Talkback: 
