Los Angeles Times: Sobig.F, 2

Click below lines for August 19, 20, & 23, 2003 LA Times Articles:

	Computers Bearing Virus Orders Isolated
	Worm strikes city, corporate computers

	New Computer Virus Clogs E-Mail Inboxes
	'Good' PC Worm Tries to Make Bad One Squirm

E-Mail Worm Strikes Corporate PCs

Thursday, August 22, 2003
Front Page
Los Angeles Times

THE NATION
Infected PCs Await Orders From Hacker

By Joseph Menn and David Streitfeld, Times Staff Writers

One of the fastest-spreading e-mail viruses ever is threatening to discombobulate computers around the world today, when hundreds of thousands of infected PCs could be commandeered to send spam, delete data or inflict other unpleasantness.

The virus, dubbed SoBig.F, has programmed the computers it has infected to automatically download potentially malicious instructions from a machine thought to be controlled by the person who wrote the virus, computer security experts said.

So far, SoBig has done little if any permanent damage. But it has caused plenty of aggravation by filling e-mail in-boxes and clogging networks, even at companies whose employees know better than to open e-mail attachments they didn't request. SoBig spreads through attachments, just as the Melissa and ILoveYou viruses did in the past. It is the third widespread infection of computer networks this month.

Unlike its predecessors, SoBig has become more sophisticated in successive versions since its discovery in January. It is one of the first to install a "back door" to allow additional manipulation by hackers.

"Traditionally, viruses only propagated copies of themselves," said John R. Levine, author of "The Internet for Dummies." "It's a fairly recent development — over the past few months — that we're seeing viruses that leave a trap door so bad guys can come in later and install more hostile software."

Computer security experts scrambled Thursday to analyze SoBig so they could stop the hacker's designated server computer from giving new instructions to infected personal computers. The PCs are scheduled to rendezvous with the server at noon today, Pacific time. Another contact is supposed to take place Sunday.

By analyzing the virus, the experts know the server's numeric Internet address but not its physical location or the identity of its owner. As a result, it was not clear whether law enforcement officials would be able to tap into or interfere with the communication between infected PCs and the server computer. A spokesman for the Department of Homeland Security said only that officials were monitoring the spread of the virus.

SoBig — presumably named for the effect it was designed to have on computer networks — is triggered when a user tries to open the attachment, allowing the program to write itself into the start-up sequence of a machine running one of many editions of Microsoft Corp.'s Windows operating system.

The virus seeks out e-mail addresses stored on the PC and selects some of them to be its next targets. The virus also picks out addresses to use as fake return addresses. That way, when messages are undeliverable, they bounce back to innocent parties and clog up their in-boxes too.

Just one infection at a big company can prompt thousands of outgoing messages, only one of which must be opened for the infection rate to hold steady. SoBig ranks among the fastest-spreading viruses to date, though previous viruses have infected far more computers.

Internet users were flooded this week with infected e-mails generated by SoBig. EarthLink Inc., one of the biggest providers of residential Internet access, said Thursday that it was deleting hundreds of infected messages a second.

The attack arrived as companies were struggling to contain the effects of earlier viruses and worms. CSX Corp., the railroad giant, said the Blaster worm infected its signaling and dispatching systems early Wednesday morning. All of CSX's rail service was halted for two hours, and morning commuter service in Washington was canceled.

Freight customers were still experiencing delays Thursday night, CSX spokesman Adam Hollingsworth said. "We're having to use manual processes instead of automated ones," he said.

Yet another virus, Nachi, hit Air Canada this week, forcing ticket-counter agents to check in clients manually.

In general, security firms said big companies, because they tend to have firewalls and up-to-date anti-virus software, were better equipped than small firms and consumers to handle viruses like SoBig.

Computer experts spent Thursday debating what the SoBig author's next instructions are likely to be. One leading theory is that the update will turn infected machines into generators of unwanted commercial e-mail, known as spam.

"It's almost like someone breaking into your home and then using your phone to do telemarketing," said Ian Hameroff, chief security strategist for Computer Associates International Inc., one of the world's biggest software companies.

Other possibilities are that the virus will turn destructive, wiping out data stored on compromised PCs. It also could launch a so-called denial-of-service attack on major Web sites, overwhelming them with meaningless requests for information.

"At any given point, [the author] can update the virus and make it more destructive," said Joe Hartmann, a research executive at computer security firm Trend Micro Inc.

Such tactics raise the stakes for computer professionals and ordinary consumers as they seek to ward off new attacks.

"The threats are continuing to get cleverer and cleverer, and it takes more steps to stop them," said Brian Foster, director of product marketing in the security response unit of Symantec Corp., the world's largest maker of anti-virus software.

There are at least two reasons to believe that SoBig will launch a cascade of spam. The first is that spammers earn commissions from their flood of e-mails, and working with spammers is one of the few ways for a virus writer to profit from his or her activity. The second is that large amounts of spam have been traced to unwitting PCs that have been infected by early versions of SoBig and might have had their e-mail programs manipulated in the process.

Aside from its plan to phone home, SoBig includes other modest advancements over previous e-mail viruses. For instance, it disguises itself with a variety of subject lines, such as "Thank you!" and "Details," rather than using one subject line over and over.

The biggest losers were small businesses and consumers whose e-mail backed up so much that some incoming messages were lost. A modest-sized L.A. law firm was effectively shut down after its network was clogged by a SoBig infection Tuesday, before word of the dangerous messages spread.

"They were an early adopter," Afinety Inc. Vice President Kevin J. McCarthy said dryly after his company was called in to disinfect the lawyers' machines. He declined to identify the client.

Late Wednesday, Microsoft warned of three more "critical" security holes in Windows and its Internet Explorer browser. The software giant is urging consumers to set their PCs to receive security patches automatically.

Even if SoBig's next step proves to be relatively benign, experts said they expected future viruses to seize control of PCs for spam — or worse.

"No question that you're going to be getting e-mail that seems to be from your grandmother offering to give you bigger body parts," said Levine, the "Internet for Dummies" author. "It's only a matter of time before someone starts to use hijacked computers to send kiddie porn."

(Infobox Text)

Path of infection

The SoBig virus, which has invaded hundreds of thousands of computers worldwide, works much the same as other e-mail viruses:

An e-mail is sent to dozens of personal computers with innocent-sounding subject lines including "Wicked screensaver!" "Thank You!" and "That movie." The text of the message reads something like: "See the attached file for details."

The attachment actually is a computer program. When a user tries to open it, the program copies itself into the Windows installation folder and makes other changes so that it runs whenever the machine is restarted.

The virus searches for new e-mail addresses in many parts of the infected computer, and uses them in both the "From" and "To" fields in new e-mails that it sends out. Some e-mails will get bounced back, still carrying the virus, to innocent users listed as senders.

The virus installs a "back door" on infected computers, allowing easier access by outsiders.

The virus program is instructed to contact a specific server computer today and again on Sunday. That server is believed to be controlled by the author of the virus. The program will receive a new Internet address from which to download additional, and possibly destructive, software.

Source: Symantec Corp., Times research

Friday, August 23, 2003
Front Page: Business Section
Los Angeles Times

Computers Bearing Virus Orders Isolated
FBI, security experts zero in on the source of the malicious program that has triggered widespread problems.

By Joseph Menn, Times Staff Writer

The FBI and private computer security experts shut down most of the computers that were supposed to give new instructions to a quick-spreading e-mail virus Friday as authorities homed in on its creator.

As many as 19 of the 20 computers had been knocked offline by noon PDT, when hundreds of thousands of personal computers infected by the SoBig.F virus tried to contact them, according to anti-virus firm Symantec Corp., one of several companies that has been assisting the FBI, the Department of Homeland Security and other authorities. The infected PCs were seeking directions to other computers, where they could have downloaded new and potentially malicious software.

One of the 20 computers that was still online gave the inquiring PCs the Web address for a pornography site, which was not believed capable of delivering any malicious code, said Steve Trilling, senior director of Symantec Research.

Experts said the virus writer probably was using the address http://www.sex.com as a place holder and planned to post a more dangerous Internet address Sunday or later. The virus has programmed the infected PCs to check in for additional information every Friday and Sunday through Sept. 7.

The experts analyzing the virus were able to decode the numeric Internet addresses for all 20 of the computers, known as servers, as well as the networks they were operating on. They could not glean the physical location or the identity of their owners, however.

On another front, the FBI made significant progress in its hunt for the author of the SoBig virus, zeroing on in an Internet service provider in Phoenix.

"It looks like the original variant was posted through us" Monday afternoon, said Michael Minor, chief technology officer of Easynews Inc.

FBI spokesman Paul Bresson said the agency was "aggressively investigating."

Two versions of the virus were initially disguised as porn images that were posted to several Internet communities known as newsgroups, Minor said. Whoever downloaded those pictures were probably the first to have their computers infected.

In complying with a subpoena from the FBI's Los Angeles field office, Minor said, Easynews turned over the Internet location of the person who posted the program, along with the credit card the person used to open an account minutes before posting the virus.

But Minor said he believed the odds of the FBI getting its man were slim, given that the credit card probably was stolen and the computer the person used was unlikely to be his own. "We haven't seen any mistakes so far from this guy," Minor said.

Meanwhile, SoBig continued to spread around the world Friday, scouring infected machines for e-mail addresses and sending itself to others. Recipients infect their computers when they try to open innocuous-looking attachments. Even those who delete the attachments have been inundated with as many as a thousand e-mails a day as the messages generated by the virus bounce around the Net.

SoBig prompted the shutdown of the U.S. passport agency's computers Thursday and Friday, employees said. Other federal offices had "sporadic problems," said Department of Homeland Security spokeswoman Rachel Sunbarger.

Some companies had to disable their e-mail for hours. Among the firms hurt by SoBig's spread were Starbucks Corp., FedEx Corp. and New York Times Co.

The damage could have been far worse. Security experts feared SoBig would update itself — with aid from the 20 master computers — and turn into a generator of junk e-mail, a platform for attacking major Web sites or a program for stealing confidential information.

But since security companies were able to decode the identities of the master computers, "we haven't seen anything crazy," Symantec's Trilling said. Some of the 20 computers were disabled just hours before the trigger time at noon Friday.

The 20th server controlled by the hacker is connected by a cable modem provided by one of the major U.S. Internet services and is probably in a private home, said Bo Sorensen, a vice president at F-Secure Corp., which helped analyze the virus.

Once contacted by the FBI, the networks shut down 19 of the servers. In the case of the 20th, the cable provider might not have been able to pinpoint the right computer, Sorensen said.

It also is possible that federal agents left the last computer alone in case the hacker tries to return to it. "It would seem like a decent way of catching the guy," Sorensen said.

Although SoBig appears to be fizzling, the outlook for the future is not good. The virus is set to expire on Sept. 10, but a new, more powerful version could be released Sept. 11.

Even if that doesn't occur, some experts said they expected a new virus combining the quickness of SoBig with the destructive power of the recent Blaster worm to surface eventually.

"If you take both of those viruses and combine them, then you have something above and beyond a nuisance," Ernst & Young security expert Jose Granado said. "The more people do it, the better they get."

Friday, August 23, 2003
Los Angeles Times

Worm strikes city, corporate computers
Some systems have been able to keep the virus out of their networks, while others have not

By Darleene Barrientos, News-Press

GLENDALE — Battling spam e-mail has reached a new level for city and corporate computer networks in Glendale as technicians worked feverishly to fend off a new virus, the Sobig.f worm.

The worm, reportedly the fastest and most widely distributed computer virus to date, is written to affect computers using Microsoft Windows 2000 or XP operating systems through e-mail. Out of billions of e-mails sent every day across the globe, one out of every 17 e-mails sent this week was reportedly infected with Sobig.f.

The worm apparently does not maliciously destroy or steal data from the computers it affects, but the sheer number of e-mails it is sending throughout the Internet could affect use, administrators say.

"I wonder how bad it's going to get here," said Scott Harmon, Glendale's assistant director of information services. "Are [virus writers] just going to flood the world? If it takes over mail, then that's just as good as shutting [the Internet] down."

The city has managed to keep damages from Sobig.f down to a minimum, with about 15 machines affected, Harmon said. About 110 machines out of the city's network of 1,600 computers needed the patch, which repairs the weakness in the software and removes the virus.

"In looking at all the other companies, we've been doing pretty good," Harmon said. "Some companies have been laid flat."

DreamWorks SKG computers were hit a little harder by the worm, bringing down their network for a short time, company spokeswoman Susan Bennett said.

"We were crippled a short time," she said Friday. "Thank God, we have outstanding [information technology] people who were off and running today."

Of about 1,000 computers at Glendale Adventist Medical Center, 400 machines needed a patch to clear out the worm and protect it against further attack, said Sharon Correa, Glendale Adventist's director of information technology.

Her staff began to see a surge of e-mails infected with Sobig.f on Tuesday night and have worked around the clock since then to attend to each computer, Correa said. Despite some Internet service disruptions, she said her staff had the problem under control.

"We have never been in a position where patient care was compromised because of the virus, though, thank God," Correa said.

Home users, who do not have a staff of IT administrators to watch over their computers, are most susceptible to Sobig.f. Home users should keep their virus software and operating systems updated as frequently as possible, experts said