One of the fastest-spreading e-mail viruses ever is threatening to
discombobulate computers around the world today, when hundreds of thousands of
infected PCs could be commandeered to send spam, delete data or inflict other
unpleasantness.
The virus, dubbed SoBig.F, has programmed the computers it has infected to
automatically download potentially malicious instructions from a machine
thought to be controlled by the person who wrote the virus, computer security
experts said.
So far, SoBig has done little if any permanent damage. But it has caused
plenty of aggravation by filling e-mail in-boxes and clogging networks, even
at companies whose employees know better than to open e-mail attachments they
didn't request. SoBig spreads through attachments, just as the Melissa and
ILoveYou viruses did in the past. It is the third widespread infection of
computer networks this month.
Unlike its predecessors, SoBig has become more sophisticated in successive
versions since its discovery in January. It is one of the first to install a
"back door" to allow additional manipulation by hackers.
"Traditionally, viruses only propagated copies of themselves," said
John R. Levine, author of "The Internet for Dummies." "It's a
fairly recent development — over the past few months — that we're seeing
viruses that leave a trap door so bad guys can come in later and install more
hostile software."
Computer security experts scrambled Thursday to analyze SoBig so they could
stop the hacker's designated server computer from giving new instructions to
infected personal computers. The PCs are scheduled to rendezvous with the
server at noon today, Pacific time. Another contact is supposed to take place
Sunday.
By analyzing the virus, the experts know the server's numeric Internet address
but not its physical location or the identity of its owner. As a result, it
was not clear whether law enforcement officials would be able to tap into or
interfere with the communication between infected PCs and the server computer.
A spokesman for the Department of Homeland Security said only that officials
were monitoring the spread of the virus.
SoBig — presumably named for the effect it was designed to have on computer
networks — is triggered when a user tries to open the attachment, allowing
the program to write itself into the start-up sequence of a machine running
one of many editions of Microsoft Corp.'s Windows operating system.
The virus seeks out e-mail addresses stored on the PC and selects some of them
to be its next targets. The virus also picks out addresses to use as fake
return addresses. That way, when messages are undeliverable, they bounce back
to innocent parties and clog up their in-boxes too.
Just one infection at a big company can prompt thousands of outgoing messages,
only one of which must be opened for the infection rate to hold steady. SoBig
ranks among the fastest-spreading viruses to date, though previous viruses
have infected far more computers.
Internet users were flooded this week with infected e-mails generated by SoBig.
EarthLink Inc., one of the biggest providers of residential Internet access,
said Thursday that it was deleting hundreds of infected messages a second.
The attack arrived as companies were struggling to contain the effects of
earlier viruses and worms. CSX Corp., the railroad giant, said the Blaster
worm infected its signaling and dispatching systems early Wednesday morning.
All of CSX's rail service was halted for two hours, and morning commuter
service in Washington was canceled.
Freight customers were still experiencing delays Thursday night, CSX spokesman
Adam Hollingsworth said. "We're having to use manual processes instead of
automated ones," he said.
Yet another virus, Nachi, hit Air Canada this week, forcing ticket-counter
agents to check in clients manually.
In general, security firms said big companies, because they tend to have
firewalls and up-to-date anti-virus software, were better equipped than small
firms and consumers to handle viruses like SoBig.
Computer experts spent Thursday debating what the SoBig author's next
instructions are likely to be. One leading theory is that the update will turn
infected machines into generators of unwanted commercial e-mail, known as
spam.
"It's almost like someone breaking into your home and then using your
phone to do telemarketing," said Ian Hameroff, chief security strategist
for Computer Associates International Inc., one of the world's biggest
software companies.
Other possibilities are that the virus will turn destructive, wiping out data
stored on compromised PCs. It also could launch a so-called denial-of-service
attack on major Web sites, overwhelming them with meaningless requests for
information.
"At any given point, [the author] can update the virus and make it more
destructive," said Joe Hartmann, a research executive at computer
security firm Trend Micro Inc.
Such tactics raise the stakes for computer professionals and ordinary
consumers as they seek to ward off new attacks.
"The threats are continuing to get cleverer and cleverer, and it takes
more steps to stop them," said Brian Foster, director of product
marketing in the security response unit of Symantec Corp., the world's largest
maker of anti-virus software.
There are at least two reasons to believe that SoBig will launch a cascade of
spam. The first is that spammers earn commissions from their flood of e-mails,
and working with spammers is one of the few ways for a virus writer to profit
from his or her activity. The second is that large amounts of spam have been
traced to unwitting PCs that have been infected by early versions of SoBig and
might have had their e-mail programs manipulated in the process.
Aside from its plan to phone home, SoBig includes other modest advancements
over previous e-mail viruses. For instance, it disguises itself with a variety
of subject lines, such as "Thank you!" and "Details,"
rather than using one subject line over and over.
The biggest losers were small businesses and consumers whose e-mail backed up
so much that some incoming messages were lost. A modest-sized L.A. law firm
was effectively shut down after its network was clogged by a SoBig infection
Tuesday, before word of the dangerous messages spread.
"They were an early adopter," Afinety Inc. Vice President Kevin J.
McCarthy said dryly after his company was called in to disinfect the lawyers'
machines. He declined to identify the client.
Late Wednesday, Microsoft warned of three more "critical" security
holes in Windows and its Internet Explorer browser. The software giant is
urging consumers to set their PCs to receive security patches automatically.
Even if SoBig's next step proves to be relatively benign, experts said they
expected future viruses to seize control of PCs for spam — or worse.
"No question that you're going to be getting e-mail that seems to be from
your grandmother offering to give you bigger body parts," said Levine,
the "Internet for Dummies" author. "It's only a matter of time
before someone starts to use hijacked computers to send kiddie porn."
*
(Begin Text of Infobox)
Path of infection
The SoBig virus, which has invaded hundreds of thousands of computers
worldwide, works much the same as other e-mail viruses:
• An e-mail is sent to dozens of personal computers with
innocent-sounding subject lines including "Wicked screensaver!"
"Thank You!" and "That movie." The text of the message
reads something like: "See the attached file for details."
• The attachment actually is a computer program. When a user tries to
open it, the program copies itself into the Windows installation folder and
makes other changes so that it runs whenever the machine is restarted.
• The virus searches for new e-mail addresses in many parts of the
infected computer, and uses them in both the "From" and
"To" fields in new e-mails that it sends out. Some e-mails will get
bounced back, still carrying the virus, to innocent users listed as senders.
• The virus installs a "back door" on infected computers,
allowing easier access by outsiders.
• The virus program is instructed to contact a specific server
computer today and again on Sunday. That server is believed to be controlled
by the author of the virus. The program will receive a new Internet address
from which to download additional, and possibly destructive, software.
*
Source: Symantec Corp., Times research
Los Angeles Times