November 30, 2005 5:45 PM PST

Sober storms charts as month's biggest attack

Malicious messages that purport to be from the FBI, CIA or Paris Hilton generated the vast majority of virus-laden e-mail traffic in November, according to security companies.

The e-mails carry a new variant of the Sober worm in an attachment which, when opened, infects the recipient's computer. The worm then attempts to disable antivirus programs and send copies of itself to any e-mail addresses found on the hard drive.

The Sober worm still accounts for close to 43 percent of all viruses being reported to the British antivirus firm Sophos. At its peak, it accounted for one out of every 13 e-mails relayed over the Internet, the group said on Wednesday.

As the most widespread variant since Sober first appeared about two years ago, the new offshoot has threatened to overwhelm e-mail servers and slow message delivery, Sophos said. Postini, another computer security firm, estimates that the latest Sober outbreak is twice as large as the biggest previous attack.

Infected e-mails carry a variety of messages. One claims to be a message from the FBI or CIA. It informs recipients that they've visited illegal Web sites and instructs them to answer questions in the e-mail's attachment. Another promises video clips of socialites Paris Hilton and Nicole Richie, while a German version references that country's version of the TV show "Who Wants To Be A Millionare."

"Mocking the feds is a sure-fire way of goading the authorities, and you can't help but wonder whether the author is desperate to be caught," Carole Theriault, senior security consultant at Sophos, said in a statement.

Sophos also reported that close to 3 percent of all e-mails, or one in 38, contain viruses. The firm collects data from a global network of monitoring stations.


Join the conversation!
Add your comment
Proactive virus defense is needed
Making the pre-holiday Sober outbreak even more lethal is the increasingly common tactic whereby virus writers release several variants of the same virus in quick succession to one another. This rapid release storm strategy makes traditional antivirus even less effective since virus signature databases must be created, updated, and downloaded by end users with each new variant. At least four variants of Sober were spreading quickly via email across the internet on November 14th. The combination of the virus being an effective mass mailer, being well designed from a social engineering perspective, and the fact that the writer used rapid release storm tactics, allowed this virus to really own the internet for about 48 hours, depending on who you use for antivirus.

I work for GatewayDefender, an anti-spam/anti-virus managed service company. We're seeing McAfee, Symantec and others drop the ball here.
We estimate, based on fallout metrics here at GatewayDefender, that this Sober outbreak took a lot of individuals and companies by surprise and that traditional AV simply didnt get the job done as well as it used to.

Look for these coordinated "rapid release storms" and zero-day exploits to become the norm.


<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by tenaciousJk (2 comments )
Reply Link Flag
well at least you can see that one coming!
Well at least with emails, you can see them coming, not like the sneaky underhanded left field under the horizon rootkit, complete with the hidden from view files, that stole system resouurces, that came free with legitimate SONY BMG audio discs! With 568,200 plus infections, that's one mighty security trojan nightmare, for everyone!
Posted by heystoopid (691 comments )
Reply Link Flag
Sober worm
Thanks to eartlink They caught the Paris Hilton in my e-mail and did not send it to me Kudos to Earthlink!
Posted by stormy47 (3 comments )
Reply Link Flag
Somber storms
In my opinion, internet email users need to become more proactive in how email is handled. My parent's always told us "to never open the door to strangers". Same scenario here, users are so naive, we see something that appears legitimate and suspicious at the same time. So what does one do? We become curious(hellooo) and we all know what's said about being 'curious'. Internet users need to be more sensitive, and pay more attention (instead of $$$ to rid the virus). By now, one would think that we'd learnt something about virus. It's the same-o same-o scenario, do not run and open email attachments (the door). Wouldn't have all these internet attacks. I don't give the person or persons credit for initiating the virus, it's the individuals who gladly open the internet email attachments that carry out the attackers ploy. That's my opinion... Thanks for you time...
Posted by cyberjett2 (1 comment )
Reply Link Flag
Sober buster ahead?
For what is worth, NORTON has been doing fine. All Sober spams have been cleaned. Yet, during the last recent days, they have eaten-up about an average of 65% of my incoming e-mail. Perhaps Web Servers can put a firewall/filter and give us a break.
Posted by Roberto Morales M. (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.