It’s part-spam, part-virus and becoming a complete nuisance. The latest version of the “SoBig” virus continued to worm its way around the Internet on Thursday, infecting far more computers than any of its four predecessors. Recognizable by subject lines such as “Re: Movies” or “Re: application,” along with an attached Zip file, the malicious program can turn infected PCs into hijacked spam machines.
MANY ANTIVIRUS COMPANIES raised their risk rating on the latest variant of SoBig, called SoBig.E, late Wednesday or early Thursday, as infection reports grew from a trickle to a small flood. And the worst might not be over yet, said Symantec Corp. security response senior director Vincent Weafer.
“It’s still on the rise,” he said. “And almost by a 10 to 1 majority, it’s home users who are getting hit.”
Symantec has received 900 submissions from the worm by customers in the past 24 hours, Weafer said — a rate that’s similar to the year’s fastest-spreading virus so far, BugBear.
Antivirus firm Message Labs Inc. said it had trapped 29,000 copies of the worm destined for its clients by the end of Thursday’s business day on the U.S. east coast. About two-thirds of the viruses came from U.S. addresses, the firm said.
This latest SoBig outbreak along with another malicious effort also unleashed Wednesday show the line between viruses and spam continues to blur. SoBig.E, as with previous versions, installs a Trojan horse small e-mail program on infected machines which can be used later by spammers, according to Mark Sumner, chief technology officer of MessageLabs Inc.
Such hijacked, or “Trojaned,” machines are the perfect tool for sending out spam, since it becomes almost impossible to trace the spam to its original sender.
TRICKY ZIP FILE
This new version of SoBig is successfully spreading because it was adjusted to outwit many corporate antivirus techniques. It spreads as a “.zip” file, a commonly used compression format. Many corporations that now block potentially infected attached files, such as .exe files or Word documents, still let Zip files through to e-mail recipients.
In the past, opening Zip files required a little extra work by the recipient, but Microsoft’s Windows XP comes with software which makes it easy — and in this case, makes the virus writers’ job a little easier as well.
(MSNBC is a Microsoft - NBC joint venture.)
Like other SoBig worms, “SoBig.E” is set to expire in about three weeks. At this point, it’s clear the author plans to simply keep pushing out new versions of the worm every few weeks in an attempt to keep an army of spam machines available, Sumner said.
“It is pretty dastardly,” Sumner said. Perhaps as much as 70 percent of all spam is now being sent from hijacked machines, he added. “This would seem to be the method of choice in the advanced spam community.”
Spam is also a factor in the spread of SoBig. The virus author doesn’t rely only on traditional programming techniques, such as reading the victim’s e-mail address book, to propagate the program. Each time, it has also been sent out to spam mailing lists, Sumner said.
FAKE WINDOWS-UPDATE In fact, the second of Wednesday’s malicious e-mails — known simply as “Downloader-BN” — is pure spam, just an e-mail without malicious code, said Craig Schmugar, a virus research engineer at Network Associates Inc.’s McAfee division. The author simply sent a spam urging recipients to visit a Web site and download a critical update for Windows. Perhaps hundreds of thousands of the notes went out, Schmugar said. Spam techniques are so efficient now, he said, that some viruses no longer have to worry about clever programming techniques to spread their worms.
The good news about Downloader-BN — it was apparently a one-shot e-mail that’s run its course. The bad news — recipients who followed the link were tricked into downloading a Trojan horse on their machine which could also be used to send spam.
Sumner thinks the blending of spam and viruses is likely to continue.
“In the past, with viruses, it was about malicious intent,” Sumner said. “The big difference here is there is money in this.”