Sobig Slows, But Experts Warn Of Next Attack

The mass-mailing virus, which struck Tuesday, spread at a rate unseen before on the Internet. As of Thursday, MessageLabs, which filters viruses from corporate E-mails, had intercepted more than 3 million messages carrying the malevolent payload.

"This is the fastest email outbreak ever, both in sheer numbers and rate of infection," said Brian Czarny, director of marketing at MessageLabs. "At its peak, 1 in every 17 E-mails (intercepted by MessageLabs) contained the virus."

However, anti-virus experts said Sobig.F, the fifth variant of the original virus sent in January, was losing steam. Symantec, which measures how fast a virus is spreading based on customer submissions of infected E-mails, projected that it would receive 1,600 messages by the end of the day Thursday. The anti-virus software maker received 1,800 submissions on Wednesday, when the virus reached its peak.

As the rate of infection slowed, experts warned that the next variant of Sobig could arrive shortly after the current version expires Sept. 10.

"At least we know there's this line in the sand that this particular variant will no longer be sending anymore E-mail," said Craig Schmugar, a senior research engineer at Network Associates. "But come that expiration date, be on the lookout for yet another variant."

Experts speculate that Sobig, which only affects Windows-based PCs, could be the work of a virus writer employed by a spammer. If the E-mail attachment carrying the virus is opened, the application opens a back door in the infected PC that lets a hacker gain access without detection. Such viruses are also referred to as worms.

Spammers use such back doors to upload applications that enable them to use the infected PC to send spam anonymously. In addition to opening up an infected computer to a hacker, Sobig propagates itself by stealing E-mail addresses from an infected PC and sending out more E-mails carrying the virus attachment.

"At this point, from what we know and what we can extrapolate, the speculation is leading more toward spam (use) and the virus author generating revenue off of this thing," Schmugar said.

Virus authors working for spammers will include an expiration date so others can't use the back door--and to ensure payment from their employers, who will have to pay for one variant before getting another.

Sobig, which struck a week after a separate virus, dubbed Blaster, wreaked havoc among computer users globally, clogged company networks and flooded users' E-mail boxes with messages. America Online, for example, reported scanning 31 million messages containing E-mail attachments, three times the normal load. Of those, 13 million contained some type of virus, and 11.5 million carried the new Sobig worm.

While a serious problem in its ability to slow network traffic and expose computers to hackers, Sobig is considered less damaging than viruses capable of crashing infected computers. Nevertheless, IT departments nationwide have been working overtime installing software fixes and updating anti-virus software to protect their systems.

This story courtesy of TechWeb News.