ISPs asked to help clean up Sober worm

Internet service providers were urged on Monday to check their user traffic patterns to locate and shut down machines infected with the mass-mailing Sober worm.

Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must warn infected customers so they can disinfect themselves.

Infected PCs were programmed to download new instructions from the Internet last week, which would have heralded another attack. This update did not actually appear online, but infected machines are still trying to download it.

Related story
ISPs versus the zombies

If providers don't pitch in against the threat, customers might defect--and the health of the Net could suffer.

"ISPs: We urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they are likely to be infected with Sober and they should clean up their act," F-Secure said on its blog.

Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial-of-service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack.

F-Secure said ISPs should let customers know they have been infected automatically, and redirect users to sites so they can disinfect their machines.

"Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users," said Mikko Hypponen, director of antivirus research at F-Secure.

"Service providers can automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want, and can still connect users to Microsoft," Hypponen said.

ISPs have an economic motive to inform users that their machines have been compromised, Hypponen argued.

"It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines," Hypponen said.

But a U.K. spokesman for America Online said it would not be contacting consumers, as it put more emphasis on prevention of infection through e-mail filtering and blocking links to certain Web sites. People who had been infected had access to McAfee antivirus services, AOL said.

"We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention," said Jonathan Lambeth, director of communications for AOL UK.

"Our antispam systems, which block more than 1.5 billion spam e-mails each day, block a large number of e-mails containing links to the Sober virus in the first place," Lambeth added. "Links are default-disabled on e-mails within AOL to prevent casual clicking on rogue links, requiring a more positive action to click through, although this setting can be switched off if the user prefers."

Tom Espiner of ZDNet UK reported from London.

[hadaso]

AOL is lying!

> "... but have no plans to do so in this instance
> as we focus our efforts on prevention,"

They are not focusing on prevention. Failing to notify infected PC owners whose infected machines are spreading the virus means they're positively doing nothing to prevent. To prevent further spreading of the worm it has to be stopped at the source, and the sources are the machines already infected that are sending out many copies of the virus.

I get each day plenty of infected email messages with the sober worm, and plenty of bounces from infected email that was sent out with one of my addresses as the forged "From" header. The headers in the email shows that they are sent from the same IP address or few IP addresses. This means there are a few machines that are infected and sre constantly sending out those messages. What is needed is that the owners of those PCs be informed that they are infected, or that ISPs block outgoing port 25 traffic from those PCs so they cannot send email directly outside their local network. Only ISPs are in position to know which PC is which IP address and communicate the info to the user (actually I just thought on another way. I would put this in a separate talkback).

[orphu]

Hey Ofer, have you seen...

<Rant>

any of the annoying AOL commercials showing in the US? They make it seem like all you have to do is click a button or two and "PRESTO!! You don't have anything to worry about. Just open all the attachments you want, we've got your back."

They should rethink their stance and be forced to educate Grandma & Grandpa Jones as to how to keep themselves secure...

</Rant>

[hadaso]

Who else can notify users on their infected PCs

My idea: infected email that arrives from infected PCs contains the IP address of the origin in a "Received" header. ISPs can use this address to locate the infected PC. But if they are unwilling to cooperate, there's another way. If a list of IP addresses of infected PCs is made available, then webhosts that are willing to contribute to society can help by serving a warning about a PC being infected when that PC tries to access a webpage they are hosting.

Example: Google hosts Gmail and receives millions of infected email messages. They scan these messages and can determine their source, and the type of virus they are infected with. Now if they collect the IP addresses of SMTP sessions that have sent these, they can show a message when the infected PC is used to access Google that it has been determined that it is probably infected and recommend that it be scanned for viruses. They can also make the list available so that other webhosts can use it to warn users. The same can be done with spam originating from zombie PCs. The problem can be reduced if some frequently accessed websites would warn people they have been detected as a compromised machine.

Google was only an example. Yahoo can do it. Microsoft can do it with Hotmail and MSN. Lots of others can do it and they can cooperate on maintaining a list of compromised machines, or compete.

Finally, if you want to ask the ISP of whoever bombards you with virus laden email (or spam) you can use SpamCop.net that would analyze your email, find the true source and send a complaint email to the their service provider with all the technical details needed to take action. Then you can pray that the service provider would take action. If lots of people used this service to report the spam they get ISPs would need to take action.

[hadaso]

Further analysis of my suggested method

Further analysis of my suggested method:

Actually there are three parts:
1. Collecting data: email providers can scan email for spam viruses and collect the data on which IP address seems to be infected with what, based on the stuff it sends out.

2. Making the data available: this might be done like any DNSBL. The main difference is that a query is made not to determine whether or not to accept an email message. It is made to determine if the user accessing some webpage need to be notified that her PC is infected with something.
"Meta-lists" can then be made that query several sources and combine them according to the sources' credibility to make a better list that would then be queried by notifying services,

3. Getting the data to the PC owner: websites would then query the avilable data lists and tell the user if there's a problem. There can be many ways to do it. Webmail services might do it upon login. The same with personal or non-personal portals or search engines.

[erikj180]

what, all isp's aren't already doing this?

gee, you think there are isp's out there that would provide this type of service? oh ya, mine has been doing this from the get go (10 years)!

2alpha (Western Washington)