Spammer Techniques Speed Spread Of Virus

At least that's the finding of two security firms that tracked the spread of Sobig.c, which debuted this weekend and was first noted for the bogus e-mail address of its sender, [email protected].

Sobig.c may look like a run-of-the-mill mass-mailed virus, but it's actually evidence of a new trend in how virus makers distribute code, according to antivirus researchers at Kaspersky Labs and Central Command.

Using spamming technology is a departure from the normal way virus makers launch their creations, according to Steven Sundermeier, product manager at Central Command.

Typically, he said, copies of the virus are first seeded with a limited number of users--100 is usual--who then unintentionally spread the virus by e-mail and over networks as the worm propagates itself. The result: a slow start, with infection rates picking up as more computers are contaminated.

Sobig.c, however, seems to have been seeded using spam-style mass mailing techniques, the same used by junk mail marketers to drop spam touting everything from herbal remedies to sexual enhancers into users' in-boxes.

"Rather than hundreds of seeded copies, a spamming approach would put thousands, if not millions of copies of the worm into the wild simultaneously," Sundermeier said. That would give security firms, corporations and their users less lead time to note a new virus and react to it to prevent infection.

Such tactics could provoke global flood-attacks on the Internet that could lead to the lowering of network productivity, said Denis Zenkin, Kaspersky Labs spokesman.

Evidence that Sobig.c was spread via spam-style techniques is indirect, according to both Kaspersky and Central Command.

Although the worm contains code that specifies [email protected] as the sender's address--similar to other worms, including last month's Sobig.b, which spoofed [email protected] as the sending address--security firms have noted that the overwhelming majority of messages carrying Sobig.c are not tagged with Gates' address. "We're getting literally tons of e-mails that aren't originating from that address," said Sundermeier.

Other proof that Sobig.c is using a spam-like distribution method includes the large number of infections in a short amount of time--according to MessageLabs, Sobig.c is now the most prominent virus on the Internet--and the originating IP addresses of the mailed worm, Zenkin said.

Central Command is still analyzing the worm, including the source IP addresses, and is not yet able to confirm Kaspersky's conclusion, Sundermeier said. "We're doing the tracking now to see where they're originating," he said. "If there's a huge flood originating from a particular IP, then the possibility exists that it's being spammed."

Other security firms, such as Symantec, are also looking closely at Sobig.c. Sharon Ruckman, senior director of Symantec's security response team, said her group was examining Sobig.c but so far hadn't reached any conclusions about the worm's distribution method. Sobig.c spread faster than its immediate predecessor, Sobig.b, she said.

This story courtesy of Techweb.com.