"Sobig.c" - Spam Technology In the Hands of Virus Creators?

04 Jun 2003
Virus News


As has been reported by Kaspersky Lab (http://www.kaspersky.com/news.html?id=978914), a new modification of the "Sobig" network worm has been spreading across the Internet. Company experts have conducted a detailed analysis of the situation and now suspect that in order to achieve the maximum effect, the virus' creators may likely have used spamming technology to mass mail the "Sobig" worm. Network worms differ from other malicious programs with their ability to automatically propagate (deliver infected messages, attack P2P networks, local area networks etc.). The situation with "Sobig.c" represents the first time where these functions were fortified by mass mailing technology. As such, the use of this technology would explain how the "Sobig" worm family instantly jumped to first place in May's list of the most widespread virus programs. Under this assumption it is possible to state a few facts: Firstly, the spreading methods used by the "Sobig" worm itself are not effective enough to cause such a large number of infections in such a short period of time. Secondly, the overwhelming majority of the infected messages being sent out do not use the address bill@microsoft.com as stipulated in the worm's code, but rather other falsified addresses. Finally, detailed analysis of the IP-addresses at the source of "Sobig.c" mailings confirms the high probability of the use of spamming technology. It is doubtful that spammers decided to expand their business to include the anonymous mailing of infected messages. Likewise doubtful would be virus creators using for hire spamming services that would have cost up to several thousand US dollars. For even the most obsessed virus writer this amount would almost surely be prohibitive. On the other hand, it should be noted that the computer underground have perfected the art of covering their tracks. They masterfully use anonymity and the extraterritoriality of the worldwide Web to hide their illegal activities. "It is possible that virus writers actually decided to quench their irrational thirst to destroy with the help of spamming technology", commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. The consequences of this symbiosis are hard to over estimate. Using "spamesque" mass mailings can tremendously increase the speed by which worms spread and the geographic territory covered. This technological integration could provoke global flood-attacks on the Internet (such as happened with 'Slammer') that could lead to the lowering of the networks productivity and even result in its decomposition into disconnected segments. "It is possible to simply blame the evil geniuses who thought up this method of network attack. On the other hand one should look at the situation objectively; naturally in the environment of complete chaos and total anonymity that reigns over the Internet, certain people are not able to resist the temptation to commit cyber hooliganism", injected Eugene Kaspersky. According to Kaspersky Lab' research, the overriding factor motivating the overwhelming majority of virus creators to practice their craft is impunity. If they would be confident in the eventuality of being punished for committing unlawful acts, by far the majority of virus creators would simply cease to commit their crimes. This reality once more confirms the urgency to establish additional Internet security measures or to create a parallel, protected network to be used exclusively for business communications. More detailed information about the "Sobig" family of network worms can be found in the Kaspersky Virus Encyclopedia by clicking on the following links: Sobig.a
Sobig.b (aka Palyh)
Sobig.c