Global Race To Beat Sobig Virus

[Zooropa]

Computer security experts are racing to beat the clock as the super-potent Sobig.F email virus threatens to unleash a crippling barrage of data across the Internet.
A frantic global hunt was under way from the United States to South Korea to find and switch off 20 home computers with high-speed broadband connections that were due to be targeted by hundreds of thousands of computers infected by Sobig.F at 8 p.m. British time on Friday.
Security experts discovered only late on Thursday that the Sobig.F virus, which has sown panic since Monday by infecting Windows systems and using them to send a deluge of junk mail, was harbouring a sinister secret.
Hidden within the virus is an instruction to the infected machines to make contact at 8 p.m. with the 20 computers, which host an unidentified programme.
"The problem is we don't know what that programme is. It could mean a smiley face dances across your screen or it could be something massive," said Carole Theriault, anti-virus consultant at Sophos Anti-Virus. "It's still under the control of the virus writer."
Even if the mystery programme is a harmless gag, the sheer volume of Internet data converging on the 20 computer targets could slow the Internet to a crawl.
The time trigger is set to be activated again at the same time on Sunday, August 24.
The search for the owners of the 20 machines -- to get them to disconnect before the deadline -- has had some success.
"We've taken more than half offline," said Mikko Hypponen, anti-virus research manager at Finland's F-Secure. "But if one is left standing, there will be an attack."

PATCH UP, SHUT DOWN

Security officials have advised computer users who suspect they have the virus to download one of the many patches being distributed by anti-virus vendors such as Sophos (http:www.Sophos.com), Symantec (www.symantec.com) and F-Secure (www.F-secure.com).
Since surfacing late on Monday, Sobig.F has been crippling corporate e-mail networks and filling home users' inboxes with a glut of messages. Hypponen estimated that Sobig.F had generated close to 100 million emails.
Sobig.F spreads when unsuspecting computer users open file attachments in emails that contain such familiar headings as "Thank You!", "Re: Details" or "Re: That Movie".
Once the file is opened, Sobig.F resends itself to scores of email addresses from the infected computer and signs the email using a random name and address from the infected computer's address book.
It has generated a massive flow of potentially infectious emails, bogging down computer servers. Some security experts estimate more than one million computers have been infected worldwide, though they stressed an accurate tally was difficult to measure as so many home computer users had been hit

 

[Zooropa]

Sobig.F Worm Believed to Start at Web Porn site

Computer security experts thwarted an attack by computer worm Sobig.F on Friday just as the FBI subpoenaed an Arizona Internet service provider in order to trace the fast-spreading virus experts believe was first posted on an adult-oriented Web site.

One expert said the Sobig.F e-mail virus was disguised so that anyone who clicked on a link purporting to show a sexually graphic picture became infected with the self-replicating worm, which then spread itself to other e-mail addresses.

"Sobig.F was first posted to a porn Usenet group," said Jimmy Kuo, research fellow at anti-virus software maker Network Associates Inc. Usenet is a popular forum on the Internet where computer users with similar interests post and read messages.

So far, as many as 100,000 computers have been infected with Sobig.F, which in turn has spewed "millions upon millions of infected e-mails" to other Internet users, Kuo added.

Sobig.F spreads when unsuspecting computer users open file attachments in e-mails that contain such familiar headings as "Thank You!," "Re: Details" or "Re: That Movie."

Once the file is opened, Sobig.F resends itself to e-mail addresses from the infected computer and signs the e-mail using a random name and address from the computer's address book.

Since Monday, computer users from Korea to Norway have struggled to fend off attacks that have crippled corporate e-mail networks and have filled home users' inboxes with a glut of messages, before fanning out to find more victims.

Consulting firm Booz Allen Hamilton, Air Canada, transport company CSX Corp. are among hundreds of companies that have suffered network attacks from recent viruses.

ATTACKS, SHUTDOWNS, NEW THREATS

Employees at the New York Times headquarters in midtown Manhattan were asked to shut down their computers, but a spokesman declined to comment on the cause of the shutdown.

"We will not speculate on the cause, effect or scope of the problem ... We plan to get the paper out tomorrow."

Sobig.F was written to expire on Sept. 10, but experts said they expect another version to follow. This is the sixth version of the portentously named virus since it first appeared in January.

The worm has been clogging e-mail inboxes with a hidden command directing infected PCs to make contact with one of 20 vulnerable computers at 12:00 PT California time every Friday and Sunday until it expires, said Steve Trilling, chief researcher at anti-virus vendor Symantec Corp. .

Government and industry security experts raced against the clock on Friday to take offline 19 of the 20 home computers, thwarting an attack before the 12 noon deadline, said Mikko Hypponen, anti-virus research manager at F-Secure of Finland.

The computers were located in the United States, Canada and South Korea, he said. The remaining master computer, which was in the United States, was taken down shortly after the deadline, experts said.

Experts had worried that the timed attack would slow down Internet traffic and possibly set in motion a new set of commands to launch new attacks. However, they cautioned that it was too early to tell whether the threat of Sobig.F had ended. The next expected attack could spur new problems, they said.

Internet service provider Easynews.com of Phoenix, Arizona said it had been contacted by investigators by telephone on Thursday and the company was issued a subpoena on Friday.

"It looks like the original variant was posted through us to Usenet on the 18th (of August)," Michael Minor, the Internet service provider's chief technology officer, told Reuters.

An FBI spokesman said the organization was working with the U.S. Department of Homeland Security to investigate who was behind the e-mail attacks. He declined to comment further. (Additional reporting by Eric Auchard, Kenneth Li and Derek Caney in New York, Tim McLaughlin in Boston, Jim Christie and Andrea Orr in San Francisco and Bernhard Warner in London)