December 7, 2005 11:42 AM PST

Clock's ticking on new Sober onslaught

A new outbreak of Sober may be coming, security experts have warned, even as e-mail systems worldwide work to get rid of the last infestation of the mass-mailing worm.

The next attack is hard-coded in the version of Sober that hit the Net on Nov. 22, iDefense, part of VeriSign, said in a statement Wednesday. Infected machines are set to download instructions and potentially mail out a new wave of Sober e-mails on Jan. 5, the security company said.

That leaves Internet users with less than a month to shore up their defenses against Sober, which was the most prolific worm in 2005, security experts at iDefense said.

"The attack could have a significant detrimental effect on Internet traffic, as e-mail servers are flooded," iDefense said.

The possible outbreak could be stopped, said Mikko Hypponen, chief research officer at Finnish antivirus company F-Secure. The worm is set to download instructions from a number of sites hosted on the systems of free Web space providers. These are located mostly in Germany and Austria, he said.

"These free Web site hosters should be able to block those specific URLs this virus is trying to download from in January, so with any luck nothing will happen," Hypponen said. "There is plenty of time for the Internet service providers and the antivirus people to act."

The latest Sober variant is still causing headaches for e-mail users. Microsoft last week said the load of infected messages is causing an unspecified delay for mail sent to its Hotmail and MSN e-mail services. Sober accounted for almost 40 percent of all the viruses stopped by F-Secure on Wednesday, Hypponen said.

The Sober family of mass-mailing worms appears to be the work of a German speaker or group of German speakers, iDefense said. Nearly 30 variants of the worm have surfaced since October 2003, the company said.

Sober arrives as an e-mail with a malicious attachment. The text of the e-mail can vary and can be either in German or English. Some Sober e-mails have included Nazi propaganda, while others posed as messages from the FBI, the U.K.'s National High-Tech Crime Unit and the CIA.

iDefense believes a Jan. 5 attack may be spreading more Nazi propaganda. The date coincides with the 87th anniversary of the founding of the Nazi party.


Join the conversation!
Add your comment
Sober worm again
I generate a number of EMail newsletters daily, and in my opinion,the Sober attacks are already starting. Generally they take the form of EMail allegedly from the FBI, CIA or some other organization stating that I have visited illegal websites and must fill in the form. Open the attachment and Bang. These EMails generally come two, three or sometimes six at a time - in other words under one heading. Anybody dlse had the same thing?
Posted by PeterGooch (1 comment )
Reply Link Flag
Been hit plenty hard but fortunately most are caught by our spam filter. Even had a user open the attachment AFTER we broadcast a message describing the e-mail and instructing users to immediately delete without opening.

However, if you re-read the article you'll notice that the first wave is a 'set-up'. Machines infected and not cleaned by the set-up will start misbehaving on 1/5/06.
Posted by orphu (109 comments )
Link Flag
Proactive Virus Defense is Needed (repost)
This is a repost of comments I made on a similar article 12/1: (<a class="jive-link-external" href="" target="_newWindow"></a>)

Making the pre-holiday Sober outbreak even more lethal is the increasingly common tactic whereby virus writers release several variants of the same virus in quick succession to one another. This rapid release storm strategy makes traditional antivirus even less effective since virus signature databases must be created, updated, and downloaded by end users with each new variant. At least four variants of Sober were spreading quickly via email across the internet on November 14th. The combination of the virus being an effective mass mailer, being well designed from a social engineering perspective, and the fact that the writer used rapid release storm tactics, allowed this virus to really own the internet for about 48 hours, depending on who you use for antivirus.

I work for GatewayDefender, an anti-spam/anti-virus managed service company. We're seeing McAfee, Symantec and others drop the ball here. We estimate, based on fallout metrics here at GatewayDefender, that this Sober outbreak took a lot of individuals and companies by surprise and that traditional AV simply didnt get the job done as well as it used to.

Look for these coordinated "rapid release storms" and zero-day exploits to become the norm.

<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by tenaciousJk (2 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.