Sobig: Spam, virus or both?

New spamming techniques could help spread viruses

The quick spread of the recent Sobig.C worm may owe more to advances in spamming techniques than to the skill of an anonymous virus writer, according to a leading antivirus company.

An analysis of e-mail messages containing the new worm variant by antivirus company Kaspersky Labs International revealed what appears to be a distribution pattern more akin to spam e-mail than a fast-spreading virus, according to Denis Zenkin, head of corporate communications at Moscow-based Kaspersky.

Like the original Sobig virus, Sobig.C is a mass-mailing worm that spreads copies of itself through e-mail messages with attached files that contain the virus code (see story).

The new variant was first detected late May 30 and spread quickly across multiple countries in the hours after it first appeared, according to a statement by Helsinki, Finland-based security company F-Secure Inc.

"It looks like the virus writer enhanced the virus's replication with spam technology to achieve greater spreading speed and global distribution," Zenkin said.

E-mail that's generated by a worm can typically be traced back to another infected machine, Zenkin said.

With the recent Sobig.C virus, however, Kaspersky researchers found that the machines responsible for distributing the virus weren't infected with Sobig, leading the researchers to theorize that they were "open-proxy" machines used by spammers to conduct massive e-mail distributions, Zenkin said.

Open proxies are loosely managed machines connected to the Internet and open to trespass by outsiders. They are often home computers connected to the Internet using "always-on" Digital Subscriber Line or cable modem connections, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Inc. in New York.

Without the initial spamming of Sobig.C e-mail, it's doubtful that the virus would have spread as quickly, Zenkin said. Although the virus has features that can, for example, grab e-mail addresses from files stored on infected machines, lists of destination addresses for use by spammers are easily available online and could be used to "seed" the new virus to millions of machines at once, he said.

There is a "high likelihood" that Sobig.C used a spam engine to spread, Sunner said. The initial appearance of Sobig was unusual for viruses, spiking over the weekend and then quickly dying off, he said.

"It's certainly plausible that the virus writers may have kick-started replication with spamming techniques," said Chris Belthoff, a senior security analyst at U.K.-based Sophos PLC.

However, spam isn't the only way the virus spreads, he said, adding, "We're absolutely certain that the virus does replicate. We have reported cases of the virus replicating."

Sophos didn't analyze the source of the Sobig.C e-mail samples it received, but it's not uncommon for virus writers to launch their creations with massive e-mail distributions, Belthoff said.

The virus writer may have contracted with a spammer to distribute the e-mail or taken advantage of an open proxy that had been left vulnerable by another virus, Zenkin said. A more likely scenario is that the virus writer is also an active spammer.

While the virus's initial distribution was atypically large, the Sobig.C outbreak is just the latest example of the convergence of spam and viruses, with spammers using open proxies as e-mail servers, according to Sunner. "Sixty percent of the spam e-mail we get is coming from open proxies. Spammers are using always-on [Internet] connections to give them an almost infinite number of IP addresses to send their mail from."

That raises the question of whether Sobig.C is better described as spam or as a virus. "It's a very sensitive question," Zenkin said.

He prefers to talk about Sobig.C as a virus with two separate spreading techniques: one based in the worm code, and the other being spam distribution technology used by the author to seed the new virus.

Security experts agreed that computer users should be ready for a new version of the Sobig virus this weekend.

The Sobig.C variant is programmed to expire on June 8, and Sobig.C was released on the same day that its predecessor, Sobig.B, was programmed to stop spreading.

The serial releases may be an effort by the Sobig author to fool antivirus software by subtly altering the makeup of the virus. Alternatively, the author could be releasing "proof of concept" viruses, testing the success of different viruses depending on when and how they are distributed, according to Sunner and Belthoff.


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon