Tag Archives: Sobig

Do Anti-Virus Companies Love Viruses?

Are anti-virus companies behind the viruses?

Avecho, Britain’s ‘complete worry-free mail service’, reckons “the world needs to wake up to the fact that the anti-virus industry is not an anti-virus industry, it is a definition-selling industry and they just love these viruses. The more afraid you are, the more money you spend with them.”

This problem is solvable, quickly, according to avecho. It points to avecho’s own ThreatCENSOR, which “applies a wonderful, simple piece of logic which has stopped MiMail, SoBig, MyDoom and all variations of Bagel and NetSky. It is not rocket science, it is simple and fool-proof. It is based upon the reality of how we work.” ThreatCENSOR works on the simple premise that:

  • viruses are executable code — in other words, globs of computer programs that attach themselves to emails and try to get you, the recipient, to open them.
  • 99% or more of all normal communications do not contain any executable code. “These are documents, graphics, sounds or text. If you want a piece of executable code, you invariably know that you want it, and from whom.”
  • by applying a simple rule ‘I will only accept executable code from people I know – and that I am expecting’, ThreatCENSOR stops over 98% of all viruses, with no traditional anti-virus at all.

It’s not a bad idea, a bit like one mentioned in this blog a week or so back. Of course, avecho have an axe to grind, and they’ve been doing it entertainingly for months, if their press releases are anything to go by (all links are to PDF files):

  • industry passes the blame for infection and propagation of email viruses onto the users;
  • Are viruses here to stay? Only 18 months left for the £2bn traditional anti-virus industry;
  • avecho.com stopped sobig A technology has existed for over a year which could have completely stopped Sobig. Why are the AV vendors still beating the same old drum?
  • On Wednesday 6th August 03 avecho GlassWall stopped a variation of the MiMail virus that had already successfully passed through a leading industry virus scanner, with up to date virus definitions.

But they do have a point. Somehow we’ve got to find a better way to stop viruses than using updating libraries. What I want to know is: Is there something like this that can work on end-users’ machines, or does everything have to be server based?

The Bagle Worm

I’m getting quite a few warnings about a new worm called Bagle, so I thought I’d pass them along. MessageLabs, an email security company, says it’s currently spreading at an alarming rate. The first copy of the worm was intercepted from Germany, and at the moment the majority of copies are being captured as they are sent from Australia. It seems to have several bits to it:

The worm arrives as an attachment to an email with the subject line ‘Hi’ and has a random filename, with a .exe extension. W32/Bagle-mm searches the infected machine for email addresses and then uses its own SMTP engine to send itself to the addresses found. The worm makes a poor attempt to lure users into double-clicking on the attachment by using social engineering techniques.

Further analysis suggests that the worm includes a backdoor component that listens for connections from a malicious user and can send notification of an infected system.

It also appears that the worm may attempt to download a Trojan proxy component, known as Backdoor-CBJ. This Trojan is able to act as a proxy server and can download other code which could be used for key-logging and password stealing.

Here’s more on it from CNet.

Happy Birthday, SoBig

A press release from email security folks MessageLabs points out that tomorrow is the first anniversary of the SoBig.A worm’s debut. SoBig.A (the A bit means it was the first of a stream of worms that were somehow based on the SoBig worm) wasn’t just any kind of worm, MessageLabs point out. SoBig.A was unique in being the first virus to use convergence techniques to create maximum havoc.

Basically this means SoBig.A didn’t just do one thing. It incorporated both spamming and virus writing techniques — infecting hundreds of thousands of computers worldwide, installing open proxies on compromised machines, which were then used to disseminate spam — unknown to the users. To date, MessageLabs has intercepted 727,102 copies of the worm in 183 countries, and it continues to spread.

SoBig was so successful it’s now into version F, the most prolific virus to date. The SoBig family, MessageLabs say, has also served as the model for other viruses using convergence techniques, such as the Fizzer worm. MessageLabs predicts that this style of virus writing will be extensive during 2004.

Needless to say, this all helps blur the boundary between spammers, scammers, virus writers (and, probably, the Mob). Says David Banes, MessageLabs’ Technical Director Asia Pacific: “The success of SoBig has served as an inspiration to cyber criminals, and demonstrates what can be achieved when they work together.”

The Year Of The Worm

Nothing new in this, but a fascinating summary of this year’s viruses, and a sober reminder of how tricky it’s all getting: F-Secure’s review of 2003 makes for interesting reading. This for example, on how the Slammer worm caused so much network traffic:

In theory, there are some 4 billion public IP addresses on the Internet. The Slammer worm was released on January 25, 2003 around 04:31 UTC. By 04:45 it had scanned through all Internet addresses – in less than 15 minutes! This operation can be compared to an automatic system dialing all available phone numbers in the world in 15 minutes. As on the net, only a small number of phones would answer the call but the lines would certainly be congested.

Or the Bugbear.B worm, which tried to steal information from banks and other financial institutions:

To this end, the worm carried a list of network addresses of more than 1300 banks. Among them were network addresses of American, African, Australian, Asian and European banks. As soon as this functionality was discovered, F-Secure warned the listed financial institutions about the potential threat. The response time of the F-Secure Anti-Virus Research Unit was 3 hours 59 minutes from the detection of the worm to the release of an anti-virus update. F-Secure also published a free tool to clean systems affected by Bugbear.B.

Or Sobig.F, which waited for a couple of days after infecting a machine and then turned affected machines into e-mail proxy servers:

The reason soon became apparent: spammers, or organizations sending bulk e-mail ads, used these proxies, which Sobig had created, to redistribute spam on a massive scale. Computers of innocent home users were taken over with the help of the worm and soon they were used to send hundreds of thousands of questionable advertisements without the owner being aware of this.

It is likely that there’s a virus writer group behind Sobig. They planned the operation, then used the worm to infect a huge number of computers and then sold various spammer groups lists of proxy servers which would be open for spreading spam. It was clearly a business operation.

A great read, and fodder for a novel were it not just the start of a difficult time for the Internet.

News: Wanted, Dead Or Alive: Virus Writers

 Microsoft is a mite upset, and is offering $500,000 reward to inform on the virus writers responsible for the Blaster and Sobig worms. (In August, if you recall, the Blaster-A worm infected many unprotected home and business computers, attempted to launch a denial of service attack against a critical Microsoft security update website, and, most importantly, mocked Microsoft chairman Bill Gates. The worm exploited a critical security hole in versions of Microsoft Windows. Just days later the Sobig-F worm, which spread on the Windows platform, bombarded email users around the world, clogging up email servers.)
 
Sophos, the anti-virus people, had this to say: “It’s no surprise to hear that they are fed up with this situation and prepared to offer a reward for the capture of these virus writers,” said Graham Cluley, senior technology consultant for Sophos.  “There must be people out there in the computer underground who know who is responsible for the creation of these malicious worms. Offering a total of $500,000 will be a great temptation for someone to break their silence – and do all legitimate users of the Internet a favour.”

Update: More On The Spiral of Evil

 Spammers may be using viruses to attack their enemies. Further to my column on how virus writers and spammers may be in cahoots to deliver spam, The Register reports that anti-spam activists have produced fresh evidence that recent assaults — called Distributed Denial of Service attacks, or DDoS, — on their websites have been enabled by the infamous Sobig worm.
 
Two anti-spam services, Monkeys.com and the Compu.Net “block list”, have already closed in the past week.
Spamhaus has been under constant “extremely heavy” DDoS attack since early July, and they believe the attack against his site and others originates from Windows machines infected with the Sobig worm, controlled by spammers over IRC networks.
 
What’s interesting is that, if properly investigated, this may help prove the link between (some) spammers and (some) virus writers. And, of course, get them off the streets and in jail.

Update: It Isn’t Over Until The Fat Lady Starts Writing Viruses

 Fridrik Skulason’s open letter draws attention to another point: that while Sobig.F was scheduled to die out on Sept. 10, we might just have been lucky this time. He compares the two recent attacks — Sobig and Blaster — and concludes that if the guy or guys who write the next version of Sobig look closely, they may combin the two and create a real monster:
 
“With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while – until the next similar worm appears. And this is the scary part. Sobig.F didn’t really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
 
“Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen.”

I’m Not Saying Worms Are A Good Idea But…

 One small consolation of worms like Sobig is that you end up having a large number of inadvertent penpals. It’s like a huge chainletter. Sobig ransacks address books and fires off emails to all and sundry, along with the worm (which then does lots of damage, I’m not contesting).
 
While I don’t condone the activities of silly anti-virus vendors who haven’t figured out that worms like Sobig fake the sender of emails (see my earlier posting on this) — making the sending of automated emails to the apparent senders of worms an absurd and self-defeating endeavour — it’s kinda interesting to get emails from servers around the globe in places that you couldn’t possibly know anyone. I just got one from Romania complaining I sent someone called Deico an infected email. I have never been to Romania, and as far as I know I have never corresponded with someone from Romania. But someone I know must, or someone they know. Or someone they know. Or someone they know….

I’m Not Saying Worms Are A Good Idea But…

 One small consolation of worms like Sobig is that you end up having a large number of inadvertent penpals. It’s like a huge chainletter. Sobig ransacks address books and fires off emails to all and sundry, along with the worm (which then does lots of damage, I’m not contesting).
 
While I don’t condone the activities of silly anti-virus vendors who haven’t figured out that worms like Sobig fake the sender of emails (see my earlier posting on this) — making the sending of automated emails to the apparent senders of worms an absurd and self-defeating endeavour — it’s kinda interesting to get emails from servers around the globe in places that you couldn’t possibly know anyone. I just got one from Romania complaining I sent someone called Deico an infected email. I have never been to Romania, and as far as I know I have never corresponded with someone from Romania. But someone I know must, or someone they know. Or someone they know. Or someone they know….

Update: The Sleazy Side Of Virus-Stopping

 Further evidence of viruses being turned into advertising spam: MailWatch kindly informed me that a message sent in my name had SoBig F aboard: “MailWatch has scanned your e-mail message and determined it can not be delivered as originally sent,” the message says.  As I’ve pointed out earlier, just because a virus appears to be from the sender, doesn’t mean it is. You’d think MailWatch, being in the business, would know this.
The email then goes on to say that “MailWatch can help you avoid these problems in the future by scanning your e-mail for viruses, Spam and objectionable content. Visit http://www.MailWatch.com to read about the benefits of MailWatch.” While I guess it’s ok to send notification emails that a virus has been found, I think it’s something else to turn it into a piece of gratuitous advertising. Especially one that misleads the average Joe into thinking they may be the source of viruses. Shape up, MailWatch. Don’t add to the problem.