New Sober Trojan Spewing Hate Spam

"It's not a worm," said Sam Masiello, the director of threat management for Denver-based MX Logic. "There's no binary attachment. Machines infected by Sober.p are downloading the code that's necessary to execute this most recent Trojan."

The latest member of the Sober family, dubbed Sober.q by anti-virus firms, has been installed on machines infected earlier in May by Sober.p, which blitzed the Internet and at its height, accounted for 1 in 7 of the messages being sent across the Internet. PCs compromised by Sober.p were left with an open backdoor, through which the attacker sent the Trojan, Sober.q.

The Trojan then set up the machine as a spam relay, and began spewing a slew of different messages, all of which had a "political edge," said Dominic Wild, an analyst with Sophos' Vancouver, Canada, office.

The messages, which can come with either German or English subject headings and text, include links that point to German Web sites, among them the right-wing National Democratic Party (in German, Nationaldemokratische Partei Deutschlands, or NPD), which in the past has called the Allied bombing of Dresden in 1945 "mass murder" and a "Holocaust of bombs."

(TechWeb was unable to access the NDP Web site mid-day Monday EDT; it may have been overwhelmed by traffic coming from the spammed links.)

Some of the spam carried the subject heading "Dresden 1945," while others titled "Gegen das Vergessen" ("Against forgetting") railed about the February 1945 bombing of the Saxon city.

"The spam is related to the recent 60th anniversary of the end of World War II," said Masiello. "It's German hate spam, and all political."

Political spam, although rare, is not unknown. During the summer of 2004, in fact, a similar one-two punch of Sober.g and Sober.h delivered German political messages. Sober.g, like 2005's Sober.p, was the worm that seeded the ground with a host of compromised machines, which Sober.h, like this week's Sober.q, used as spam spreaders.

According to Masiello, MX Logic is seeing the Sober.q Trojan in about 1 in every 150 messages. Although that was enough for the company to call the Trojan a "high severity threat," it was nowhere near the numbers of the Sober.p worm.

The Trojan also drops a file onto infected PCs with links to news stories about previous versions Sober worm, and the text: "Ich bin immer noch kein Spammer! Aber sollte vielleicht einer werden :)," Sophos' Wild added. The German translates to: "I'm not a spammer, but perhaps I should become one :)," according to Sophos.

The one-two combination of Sober.p and Sober.q may be unusual in that both probably come from the same author, but the use of compromised machines to spread additional malicious code or spam is not.

"We've seen malicious code like this [Sober.q,] before," said Wild. "One in three worms, in fact, are creating zombie machines."

But while Sober.q might be, as MX Logic's Masiello called it, a "dead end," the network of Sober.p-infected PCs is not. "Authors of Sober.p could possibly elicit remote command-and-control over a large network of infected machines," said Masiello.

Like any bot network (or botnet), the collection could be used in the future to deliver more spam or more worms, or as the launch pad for a massive denial-of-service (DoS) attack.