August 20, 2003 3:46 PM PDT
ISPs: Sobig's the biggest virus so far
Recent data from e-mail service providers pegs the infection caused by the latest variant of the Sobig virus as the largest epidemic of a mass-mailing computer program to date.
E-mail filtering company MessageLabs, for instance, said it intercepted more than a million messages that carry the virus on Tuesday, while rival Postini trapped 2.6 million in 24 hours.
"This is the fastest (virus) that we have seen," said Scott Petry, vice president of products and engineering for Redwood city, Calif.-based Postini. He added that the company typically stops far fewer e-mail messages that carry viruses--about 500,000--on an average day.
The computer virus clogged corporate e-mail systems on Tuesday and Wednesday, as every message had to be digitally checked for the virus before being passed on to the recipient's computer. New York-based MessageLabs found that about one in every 17 messages contained the Sobig virus--far more then the normal 1-in-275 ratio or 1-in-138 ratio that the previous top threat, Klez.H, had produced.
Sobig.F, like previous versions of the virus, uses an e-mail address other than the victim's as the apparent source of e-mail messages that it sends to spread itself. Many antivirus systems send an alert that notifies the apparent sender of viral e-mail messages that they are infected, even when the malicious program is known to forge the source's e-mail address. The result: More spam to clog the Internet's arteries.
"We chose to not respond to spam or viruses, because it can quickly turn into a denial of service attack," Petry said.
America Online also had to deal with an avalanche of e-mail. On any given day, the consumer Internet service provider--the world's largest--normally receives about 11 million e-mail messages that bear attachments that need to be checked. On Tuesday, the company took in about 31 million such messages, about 11.5 million of which carried the Sobig.F virus, according to an AOL representative.
The Sobig.F virus spreads by harvesting e-mails from Web pages and from the address book of an infected computer. It sends a copy of itself to the addresses in an e-mail message with subject lines such as "Your Details," "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer.
The virus has caused headaches for administrators at the Massachusetts Institute of Technology, the U.S. Department of Defense and many other companies. But the virus--like the previous versions--has an expiration date built in: This variant is set to stop spreading on Sept. 10.
But rather than comfort Internet service providers, that fact made administrators worried that the people who wrote the Sobig family of viruses were learning with each variant.
"The Sobig virus writer's use of an inbuilt expiry date indicates that he is committed to inventing new and improved versions," Mark Sunner, chief technology officer at MessageLabs, said in a statement. "Each variant released so far has exceeded the previous one in growth and impact during the critical initial window of vulnerability."