Computer users and system administrators, take note. According to iDefense, a division of VeriSign (Nasdaq: VRSN - news), on January 6, 2006, the world will see the release of a new version of the Sober worm. Security analysts hope that, at least in this instance, being forewarned can lead to being forearmed, and that computer users will take the time before the attack to update their security software.
Where would a broadband phone service benefit you most?*
*
Everywhere
At work
At home
*
The discovery was made as researchers at iDefense sought to unravel the most recent version of the Sober worm's encrypted code through reverse engineering. The latest variant was released in mid-November, infecting thousands of computers. A week later, the worm reinfected computers with another variant that sent faux e-mails supposedly from the* * FBI, the UK's National High Tech Crime Unit, and the* * CIA. Intelligence experts believe that this version infected millions of computers in a prelude to the scheduled attack in January.
While Ken Durham, director of iDefense's Rapid Response Team, acknowledged that most antivirus firms worth their salt who have studied the Sober worm are also aware of the date, he said iDefense decided to go public hoping that awareness would breed caution that will help mitigate the spread of the worm.
"This is not like we have the corner on the market in knowing about dates and how Sober works," Durham said. "The reason you do an announcement is that this is a user-interaction worm. If people realize that there is going to be a large-scale e-mail worm spread on or around those dates and they know what to be prepared for, you can help mitigate that worm."
Spreading the Message
The Sober worm first appeared in October 2003, during what was later dubbed the "year of the worm" because of major worm attacks such as Blaster, SoBig.F, Nachi, and others. According to Durham, Sober didn't show up on the radar screen as notable or significant at that time, but over the past two years it became clear to security experts what the motive was behind the Sober worms and that the author was in it for the long term and that this was going to be a persistent attack.
"We often see codes rise and fall," said Durham. "Some malicious authors are working on things as teenagers, but then they grow up and get out of the business. In other cases, we find they do more sustained efforts over a period of time. In the case of the Sober worms, we found that it was strongly correlated to Neo Nazi right-wing agendas."
Durham said this so-called "hactivism" came to light over a period time because the worm's authors would promote their code and spread it on historical dates of significance. For instance, November 22, the date of the most recent Sober release, was also the day Germany's first female chancellor was inaugurated. January 6 marks the 87th anniversary of the founding of the Nazi Party in Germany.
"At one point [the authors] actually used their infected computers to spam out e-mails that would direct people to right-wing based Web sites," Durham said. "They were very clearly using this to promote that kind of a religious and political agenda as compared to a traditional person who is looking more for their own notoriety and 15 minutes of fame or someone who may be working with more of a criminal intent for financial gain."
A Constant Refrain
Security analysts say that, whether for profit or to support a political agenda, the only way to combat these Internet plagues is for computer owners and system administrators to be aware of potential threats and maintain systems with up-to-date antivirus protection.
A recent report by America Online and the National Cyber Security Alliance found that up to 81 percent of respondents had no security controls. Of that number, 56 percent did not have any antivirus software or had software that had not been updated in the past week, and 44 percent had an improperly configured firewall. As for spyware, 38 percent said they had no antispyware protection at all.
What began as a relatively unsophisticated worm, Durham said, has now become a leading threat with modifications by the author. One e-mail gateway has logged millions of interceptions of Sober on a daily basis, racking up 94 million during the first big outbreak in November, Durham revealed.
"The latest version of Sober was very successful in spamming itself to the world," Durham said. "It has been set up so it has the technical capability to send out large volumes of e-mail from any single infected machine."
Top of Charts
According to statistics from Sophos, the Sober worm accounted for 77.3 percent of all reports filed so far in December. That number represents roughly one Sober infected e-mail for every 45 e-mails the average user receives. Sober was the worm most reported to Sophos in November, despite its late release during the last full week of the month.
"These figures tell us that Sober-Z has managed to infect a lot of people so far," said Carol Theriault, senior security analyst at Sophos. "Being able to predict an incident means that [security firms] can tell people about it so that they can take appropriate action."
Yankee Group analyst Andrew Jaquith agreed that these kinds of announcements are helpful because they give people an idea of what future threats will look like, and it allows consumers and corporate customers an opportunity to prepare themselves for a coming attack. However, Jaquith is concerned that alerts of this magnitude might be lost amid the constant onslaught of virus alerts that users receive.
"It's not a question of someone crying wolf," said Jaquith. "It's just that there are so many wolves, there is a lot of crying going on. It's just one more thing in a never-ending stream of security problems for Windows."
|
