August 22, 2003
E-mail story   Print 

THE NATION
Infected PCs Await Orders From Hacker
 
   
  Subscribe
COMPUTER CRIME
SOBIG F COMPUTER VIRUS
ELECTRONIC MAIL
THE NATION
SOBIG F COMPUTER VIRUS ELECTRONIC MAIL COMPUTER


  
 
By Joseph Menn and David Streitfeld, Times Staff Writers
One of the fastest-spreading e-mail viruses ever is threatening to discombobulate computers around the world today, when hundreds of thousands of infected PCs could be commandeered to send spam, delete data or inflict other unpleasantness.

The virus, dubbed SoBig.F, has programmed the computers it has infected to automatically download potentially malicious instructions from a machine thought to be controlled by the person who wrote the virus, computer security experts said.

So far, SoBig has done little if any permanent damage. But it has caused plenty of aggravation by filling e-mail in-boxes and clogging networks, even at companies whose employees know better than to open e-mail attachments they didn't request. SoBig spreads through attachments, just as the Melissa and ILoveYou viruses did in the past. It is the third widespread infection of computer networks this month.

Unlike its predecessors, SoBig has become more sophisticated in successive versions since its discovery in January. It is one of the first to install a "back door" to allow additional manipulation by hackers.

"Traditionally, viruses only propagated copies of themselves," said John R. Levine, author of "The Internet for Dummies." "It's a fairly recent development — over the past few months — that we're seeing viruses that leave a trap door so bad guys can come in later and install more hostile software."

Computer security experts scrambled Thursday to analyze SoBig so they could stop the hacker's designated server computer from giving new instructions to infected personal computers. The PCs are scheduled to rendezvous with the server at noon today, Pacific time. Another contact is supposed to take place Sunday.

By analyzing the virus, the experts know the server's numeric Internet address but not its physical location or the identity of its owner. As a result, it was not clear whether law enforcement officials would be able to tap into or interfere with the communication between infected PCs and the server computer. A spokesman for the Department of Homeland Security said only that officials were monitoring the spread of the virus.

SoBig — presumably named for the effect it was designed to have on computer networks — is triggered when a user tries to open the attachment, allowing the program to write itself into the start-up sequence of a machine running one of many editions of Microsoft Corp.'s Windows operating system.

The virus seeks out e-mail addresses stored on the PC and selects some of them to be its next targets. The virus also picks out addresses to use as fake return addresses. That way, when messages are undeliverable, they bounce back to innocent parties and clog up their in-boxes too.

Just one infection at a big company can prompt thousands of outgoing messages, only one of which must be opened for the infection rate to hold steady. SoBig ranks among the fastest-spreading viruses to date, though previous viruses have infected far more computers.

Internet users were flooded this week with infected e-mails generated by SoBig. EarthLink Inc., one of the biggest providers of residential Internet access, said Thursday that it was deleting hundreds of infected messages a second.

The attack arrived as companies were struggling to contain the effects of earlier viruses and worms. CSX Corp., the railroad giant, said the Blaster worm infected its signaling and dispatching systems early Wednesday morning. All of CSX's rail service was halted for two hours, and morning commuter service in Washington was canceled.

Freight customers were still experiencing delays Thursday night, CSX spokesman Adam Hollingsworth said. "We're having to use manual processes instead of automated ones," he said.

Yet another virus, Nachi, hit Air Canada this week, forcing ticket-counter agents to check in clients manually.

In general, security firms said big companies, because they tend to have firewalls and up-to-date anti-virus software, were better equipped than small firms and consumers to handle viruses like SoBig.

Computer experts spent Thursday debating what the SoBig author's next instructions are likely to be. One leading theory is that the update will turn infected machines into generators of unwanted commercial e-mail, known as spam.

"It's almost like someone breaking into your home and then using your phone to do telemarketing," said Ian Hameroff, chief security strategist for Computer Associates International Inc., one of the world's biggest software companies.

Other possibilities are that the virus will turn destructive, wiping out data stored on compromised PCs. It also could launch a so-called denial-of-service attack on major Web sites, overwhelming them with meaningless requests for information.

"At any given point, [the author] can update the virus and make it more destructive," said Joe Hartmann, a research executive at computer security firm Trend Micro Inc.

Such tactics raise the stakes for computer professionals and ordinary consumers as they seek to ward off new attacks.

"The threats are continuing to get cleverer and cleverer, and it takes more steps to stop them," said Brian Foster, director of product marketing in the security response unit of Symantec Corp., the world's largest maker of anti-virus software.

There are at least two reasons to believe that SoBig will launch a cascade of spam. The first is that spammers earn commissions from their flood of e-mails, and working with spammers is one of the few ways for a virus writer to profit from his or her activity. The second is that large amounts of spam have been traced to unwitting PCs that have been infected by early versions of SoBig and might have had their e-mail programs manipulated in the process.

Aside from its plan to phone home, SoBig includes other modest advancements over previous e-mail viruses. For instance, it disguises itself with a variety of subject lines, such as "Thank you!" and "Details," rather than using one subject line over and over.

The biggest losers were small businesses and consumers whose e-mail backed up so much that some incoming messages were lost. A modest-sized L.A. law firm was effectively shut down after its network was clogged by a SoBig infection Tuesday, before word of the dangerous messages spread.

"They were an early adopter," Afinety Inc. Vice President Kevin J. McCarthy said dryly after his company was called in to disinfect the lawyers' machines. He declined to identify the client.

Late Wednesday, Microsoft warned of three more "critical" security holes in Windows and its Internet Explorer browser. The software giant is urging consumers to set their PCs to receive security patches automatically.

Even if SoBig's next step proves to be relatively benign, experts said they expected future viruses to seize control of PCs for spam — or worse.

"No question that you're going to be getting e-mail that seems to be from your grandmother offering to give you bigger body parts," said Levine, the "Internet for Dummies" author. "It's only a matter of time before someone starts to use hijacked computers to send kiddie porn."

*
(Begin Text of Infobox)

Path of infection

The SoBig virus, which has invaded hundreds of thousands of computers worldwide, works much the same as other e-mail viruses:

•  An e-mail is sent to dozens of personal computers with innocent-sounding subject lines including "Wicked screensaver!" "Thank You!" and "That movie." The text of the message reads something like: "See the attached file for details."

•  The attachment actually is a computer program. When a user tries to open it, the program copies itself into the Windows installation folder and makes other changes so that it runs whenever the machine is restarted.



•  The virus searches for new e-mail addresses in many parts of the infected computer, and uses them in both the "From" and "To" fields in new e-mails that it sends out. Some e-mails will get bounced back, still carrying the virus, to innocent users listed as senders.

•  The virus installs a "back door" on infected computers, allowing easier access by outsiders.

•  The virus program is instructed to contact a specific server computer today and again on Sunday. That server is believed to be controlled by the author of the virus. The program will receive a new Internet address from which to download additional, and possibly destructive, software.

*

Source: Symantec Corp., Times research

Los Angeles Times