A recent outbreak of the latest Sober worm has become the largest e-mail virus yet, according to several e-mail security vendors.
The success of the latest Sober was due, in part, to it posing as a message from the FBI or CIA. tE-mail filtering services company Postini said it had quarantined more than 218 million Sober-infected messages in just seven days, making this outbreak twice as big as the largest previous attack on record.
Typically Postini quarantines about 50 million virus-infected messages per month.
“This Sober virus generated close to a 1,500% increase in virus-infected e-mail traffic in the past week,” said Scott Petry, Postini VP of products and engineering.
Security vendor Sophos and Trend Micro agree the latest Sober was the most widespread virus yet. At the outbreak’s peak, one in every 13 messages was Sober-infected, Sophos said. The worm arrives as a .zip file attachment in either German or English. The message appears to be from the FBI, CIA or German Bundeskriminalamt (BKA) and accuses recipients of visiting illegal web sites. The message asks recipients to answer questions in an attachment.
Some infected messages reference the German version of “Who Wants to be a Millionaire” and US star Paris Hilton.
The worm disables antivirus programs and hijacks Windows-based computers, forcing them to send continuous spam e-mails that overwhelm servers and slow down networks.
Postini, Sophos and other vendors said they had successfully blocked or quarantined all threats and their customers were not infected.
Sober’s author has been operating anonymously for more than two years. But their latest approach to pose as the US federal government has baffled Carole Theriault, senior security consultant at Sophos.
“Mocking the feds is a sure-fire way of goading the authorities, and you can’t help but wonder whether the author is desperate to be caught,” she said.
The FBI released a warning that it does not send unsolicited e-mails. “The FBI takes this matter seriously and is investigating,” said an agency statement. “Users are instructed to delete the e-mail without opening it.”
Theriault said Sober viruses, “may seem as hard to exterminate as a colony of cockroaches, but they can be stopped from infesting a network if users remain vigilant when facing unsolicited emails.” Helsinki, Finland-based security outfit F-Secure Corp said it believes all 25 variants of the Sober virus have been written by the same individual, operating from somewhere in Germany. But unlike most other widespread viruses, Sober doesn’t appear have a clear financial motive behind it. “The numbers we’re now seeing with Sober.Y are just huge,” said F-Secure chief research officer Mikko Hypponen.
Other security vendors have dubbed the latest worm Sober X or Sober Z