HomeProductsServicesDownloadSupportNewsPartnersPurchaseContact
 

PRESS RELEASE

Security Information 
Week 37, 2003

An analysis of Sobig.F and its ability to harm Internet users around the world
Introduction
 

CORPORATE NEWS

Latest News
News archive

INFORMATION
Products & Solutions
QUESTIONS? CONTACT US

Introduction

During the latest three weeks Internet users and organizations have experienced the most severe attack on the Internet infrastructure since the "Morris worm" in November 1988 (informational links about this worm at the end ot this Security Information). Similar to this famous incident from the Internet's early days, the recent outbreak of W32/Sobig.F has caused major problems because of the huge amount of emails flooding the infrastructure.

After a few days Sobig.F became the most widespread worm ever, bypassing others that had been "In the Wild" for a long time, like W32/Klez.H and W32/Badtrans.B to name a few.

Reports from all over the world have stated that the infrastructure in various organizations as well as Internet Service Providers (ISPs) have had - and still have - major problems. Some organizations have implemented techniques to stop emails with Sobig.F at the perimeter, e.g. by setting up dedicated computers running antispam software filtering these email before they are prosessed by the mail servers.

The aim of this Security Information is an attempt to analyze why this could happen - what, if anything - is so special about Sobig.F compared to other worms?

The Sobig family of worms

This family of worms have been around since January this year and the different family members have some common characteristcs:

  • Almost all of the worms have been widespread.
  • Spreading mechanism is email (and for some also network).
  • The sender of the infected email is faked.
  • None of the worms have any malicious payload.
  • All of them except the A variant stop to spread after a certain date.
  • Some of the worms attempt to update themselves from specified computers.

None of the previous worms in this family, however, have been as successful regarding being widespread, as this latest addition.

Sobig.F - why so widespread

Before we look at Sobig.F in particular, let us examine two characteristics with malicious programs that to some degree are working against one another:

  • The ability to spread
  • The ability to harm the infected computer

Any malicious program that has a destructive payload that is harming the infected computer, also by definition decreases its spreading ability. A PC that does not function any more, obviously cannot spread any malicious program either. And vice versa - a malicious program with no destructive payload may in principle spread as long as the infected computer is not cleaned or the program otherwise stops spreading (e.g. by program design).

We may therefore observe that because the author of Sobig.F did not implement any malicious payload in the program code, it has not diminished its spreading ability by that factor.

Obviously this does not in itself explain why Sobig.F became such a major problem.

Let's examine the email created by the program its characteristica:

The email sender and recipient

Sobig.F harvests email addresses from the infected PC and uses these as sender and recipient. Thus, it is almost no use to try to inform the "sender" that he/she is infected.

Some antivirus programs are configured to send such a warning automatically. The main effect from this in Sobig.F's case is that the number of emails sent is twice as high as without such warning.

The email subject

The worms subject is one of the following:

  • Re: Thank you!
  • Thank you!
  • Your details
  • Re: Details
  • Re: Re: My details
  • Re: Approved
  • Re: Your application
  • Re: Wicked screensaver
  • Re: That movie
The email body

The worms body is one of the following:

  • See the attached file for details
  • Please see the attached file for details.
The email attachment

Finally the email's attachment is one of these:

  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr
  • movie0045.pif

Neither subject field, nor body and attachment seem to be particularly tempting with respect to opening the email or the attachment. We have seen several examples of email worms using far more sophistiated combinations to enhance their spreading ability, without succeeding in being so widespread as Sobig.F.

We must look elsewhere!

One may look at a malicious program's distribution from two different angles:

One is to see how many computers are infected by the program. The other is to investigate the agressiveness of the malicious program's spreading mechanism(s). The latter is of course relevant in spreading tecniques using e.g. emails and networks. The number of infected computers is obviously relevant when one investigates the number of e.g. emails carrying the malicious program, but other aspects may be as important.

How does Sobig.F behave regarding this?

We have seen that the program harvests email addresses from the infected computer. When it starts its spreading mechanism, it sends itself to these email addresses by setting up several threads simultaneously. Furthermore, it repeats this process very often.

The result is that only one infected PC with many email addresses stored, is able to generate a lot of email traffic over a short period of time. A big organization that is infected may generate enormeous amounts of email traffic.

However, the number of emails resulting from Sobig.F's is definately too high to come from only a few organizations. Security Information 20/2002 discusses the fact that the success of a malicious program depends on a "critical mass" of computers being infected. This critical mass is obviously present in Sobig.F's case as well. It may be that this mass is somewhat lower in terms of number of computers infected, however - due to Sobig.F's aggressive spreading mechanism.

We may therefore conclude that the reason why Sobig.F was so widespread - not in terms of infections (that is not known!), but in terms of emailing activity - is mainly because it uses a very aggressive way to send itself to email addresses.

Implications

As mentioned above Sobig.F is programmed to stop spreading if the date is 10 September 2003 or later.

One may wonder what would have happened if the author instead of programming the worm to stop spreading, had written some destructive payload into the worm. Whether this would have had any disasterous effect worldwide, is highly dependant on the number of PCs actually infected.

One may further wonder when a malicious program is released that has the following characteristics:

  • Sobig.F's aggressive spreading mechanism
  • A much more sophisticated social engineering technique in its email subject, body and attachment.
  • A malicious payload some weeks (or few months) after it was released.

Such a program has the potential to cause much more problems for computer and Internet users that what Sobig.F did.

Appendix:

For those interested in more information about the so-called "Morris worm", here are some links:

For further information, please contact

SAV25 Data Systems

More Press Release here
ABOUT SAV25      USER AGREEMENT   PRIVACY POLICY   CONTACT US                                                                           
SAV25 Data Systems
appropriate solutions
Copyright ©1999-2005 SAV25 DATA SYSTEMS. All Rights Reserved   
All Product names, trademarks, trade names, service marks and logos included in this site are the property of their respective companies and/or affiliate companies.
For best viewing, use Opera 8.02 or higher or Internet Explorer 6.X or Firefox 1.X at 800X600 resolution