Threat from SoBig not over, antivirus firms warn

Computerworld - Several antivirus software companies are continuing to maintain a high alert status for the W32/SoBig.F worm because of a payload that is set to trigger on infected machines at 3 p.m. EDT today.
Starting at that time and until 6 p.m. EDT, the worm is programmed to automatically direct infected PCs to a server that's controlled by the virus writer and from which a malicious program could be downloaded, according to antivirus company Sophos PLC.
The worm is programmed to make similar attempts at the same time each Friday and Sunday through Sept. 10, at which point it is coded to disable itself.
"Like previous versions, SoBig.F too is able to listen to and act on commands sent by its authors," said Craig Schmutar, a member of Network Associates Inc.'s Anti Virus Emergency Response Team.
Among the programs that could be downloaded using the back door are another virus -- a program for collecting sensitive information or for deleting data on infected machines, Sophos said.
"When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attacker's choice," cautioned a note from Central Command Inc., a Medina, Ohio-based vendor of antivirus products. Infected machines run the risk of being turned into zombies that can be used by the virus author "to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack," the Central Command advisory warned.
In addition to updating antivirus software, users should configure firewalls to block outgoing connections to UDP Port 8998, Sophos said.
For the moment, SoBig's major impact on corporations has been to slow down e-mail service because of the sheer quantity of traffic generated by the worm.
On Tuesday alone, America Online Inc.'s automatic e-mail scanning service for subscribers detected 23.2 million attachments containing the SoBig.F virus, company spokesman Nicholas Graham said. That number represented about 98% of all e-mail viruses and worms detected by AOL that day, he said.
"We are working overtime to strip all of these attachments" before they reach AOL subscribers, Graham said.
Though the volume hadn't disrupted AOL's e-mail service so far, SoBig.F is "certainly spreading faster than any e-mail virus we have ever seen," Graham said yesterday.
External e-mail service at the University of Texas MD Anderson Cancer Center in Houston was slowed "because of the massive number of pings and infected e-mails attempting to penetrate our perimeter defenses," said Lew Wagner, the center's chief information security officer.
At one point, the center's e-mail server was being hit by "tens of thousands of concurrent connection" attempts, Wagner said. As a result, the hospital increased the number of concurrent connections while decreasing the time taken to drop packets on its networks.
"What it does is you have more ports open to let good things through," while more quickly dropping suspicious traffic, Wagner said.
Baker Hill Corp., a Carmel, Ind.-based application service provider, routes all its e-mail through a service provider that scans and strips all e-mail for malicious attachments.
As a result, the company's systems remained unscathed by SoBig.F. Even so, Baker Hill felt the ripple effects when it found itself being forced to deal with a stream of messages that had been spoofed to appear as though they were sent by Baker Hill employees and were being bounced back to its users by antivirus measures on other networks.
"It was very confusing for a lot of my users who were getting messages from people asking them why they were sending [virus] infected messages," said Eric Beasley, network administrator at Baker Hill. At the peak of the problem, the president of the company was receiving between 25 and 50 such messages per hour, Beasley said.
"Even though we have our antivirus solution in place and our desktops were not infected, the impact was still there from all these unwanted e-mail," he said.
Computerworld's own editor@computerworld.com and letters@computerworld.com addresses each got hundreds of such bounced-back e-mails.