Sobig: Spam, Virus, or Both?
Virus writer likely used spamming techniques to spread the worm quickly.
Paul Roberts, IDG News Service
The quick spread of the recent Sobig.C virus may owe more to advances in spamming techniques than to the skill of the anonymous virus writer, according to a leading antivirus company.
An analysis by Russian antivirus company Kaspersky Labs of e-mail messages containing the new worm variant revealed what appears to be a distribution pattern more akin to that of spam e-mail than to that of a fast-spreading virus, according to Denis Zenkin, head of corporate communications at Kaspersky in Moscow.
Like the original Sobig virus, Sobig.C is a mass-mailing worm that spreads copies of itself through e-mail messages bearing attached files that contain the virus code.
The new variant was first detected late on Friday and spread quickly across multiple countries in the hours after it first appeared, according to a statement by Helsinki security company F-Secure.
"It looks like the virus writer enhanced the virus's replication with spam technology to achieve greater spreading speed and global distribution," Zenkin said.
Searching for the Source
E-mail generated by a worm can usually be traced back to another infected machine, Zenkin said.
With the recent Sobig.C virus, however, Kaspersky researchers found that the machines responsible for distributing the virus weren't infected with Sobig, leading Kaspersky researchers to theorize that they were "open proxy" machines that spammers used to conduct massive distribution of e-mail, Zenkin said.
Open proxies are loosely managed machines that remain connected to the Internet and are open to trespass by outsiders. In many instances, they are home computers connected to the Internet via "always-on" DSL or cable modem connections, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd. in New York.
Without the initial spamming of Sobig.C e-mail, it is doubtful that the virus would have spread so quickly, Zenkin said.
The virus has features that can grab e-mail addresses from files stored on infected machines, for example; but lists of destination addresses for use by spammers are readily available online and could be used to "seed" the new virus to millions of machines at once, Zenkin said.
Kick Start
There is a "high likelihood" that Sobig.C used a spam engine to spread, Sunner said. The initial appearance of Sobig was unusual for viruses, spiking over the weekend and then quickly dying off, he said.
"It's certainly plausible that the virus writers may have kick-started replication with spamming techniques," said Chris Belthoff, senior security analyst at Sophos.
The virus doesn't rely exclusively on spam to spread, however, he said.
"We're absolutely certain that the virus does replicate. We have reported cases of the virus replicating," Belthoff said.
Sophos did not analyze the source of the Sobig.C e-mail samples it received, but it is not uncommon for virus writers to launch their creations with massive e-mail distributions, Belthoff said.
Working Together?
The virus writer may have contracted with a spammer to distribute the e-mail or may have taken advantage of an open proxy that had been left vulnerable by another virus, Zenkin said. A more likely scenario is that the virus writer is also an active spammer, he said.
While its initial distribution was atypically large, the Sobig.C virus outbreak is just the latest example of the convergence of spam and viruses, with spammers using open proxies as mini e-mail servers, according to Sunner.
"Sixty percent of the spam e-mail we get is coming from open proxies. Spammers are using always-on [Internet] connections to give them an almost infinite number of IP addresses to send their mail from," Sunner said.
Which raises the question of whether Sobig.C is better described as spam or as a virus.
"It's a very sensitive question," Zenkin said.
He prefers to talk about Sobig.C as a virus with two separate spreading techniques--one based in the virus's worm code, and the other the spam distribution technology used by the author to seed the new virus.
New Version
Security experts did agree that computer users should be ready for a new version of the Sobig virus this weekend.
The Sobig.C variant is programmed to expire on June 8 and Sobig.C was released on the same day that its predecessor, Sobig.B, was programmed to stop spreading.
The serial releases may be an effort by the Sobig author to fool antivirus software by subtly altering the makeup of the virus. Alternatively, the author could be releasing "proof of concept" viruses, testing the success of different viruses depending on when and how they are distributed, according to Sunner and Belthoff.
