sobig.f on a rampage

- August 19, 2003 @ 5:21 pm · Filed under Systems

A few people (e.g. red) at the Berkman Center have started getting lots and lots of messages infected with the W32.Sobig.F virus.

This is irritating for a couple of reasons.

1) It’s a drag to get lots of superfluous and possibly dangerous mail.

2) People will think you are infected with it, even when you aren’t. Sobig.F includes its own SMTP engine, which means that it talks directly with mail servers. This allows it to forge the address it alleges to be “from”. It also knows how to search through various files on an infected machine’s hard drive, and harvest email addresses. It uses these addresses both as a list of people to try to infect, and as a list of people from whom to pretend to have originated. So if your email address happens to be in a file which a Sobig virus looks at, people will get infected messages which claim to be from you. Some helpful souls will think that means you have a virus, and contact you. Some ill-guided institutions have doodads installed on their mail servers which automatically bounce virus-infected mail back to the “sender”, which is obviously dumb and confusing when the alleged sender is not the same as the infected person. It would be better to make these programs only bounce messages which contain viruses which actually use the real originating email address. In my opinion this behavior hovers somewhere along the border of unethical.

3) Sobig.F searches through cached webpages in addition to address books. If your address, like  bloggercon at cyber.law.harvard.edu or  cyber at law.harvard.edu, is in a lot of reasonably popular webpages, it will be cached on many machines and you will get a Lot of mail from a Lot of different people, and probably have your address forged on a Lot of infected emails.

4) The Sobig.F messages are, well, so big! The attachment is like 100k. If you have a quota on your mailbox and are getting lots of these, they might flood you.

So how do we deal with this? There is, unfortunately, no way to get the deluge of mail to stop, since it’s close to impossible to figure out whom an infected message is actually originating from. But here are a few things you can do:

1) Make sure you have have up-to-date virus software, so at least you can avoid the indignity of getting infected. If you’re at Berkman and your machine is on the network you’re fine. Otherwise you should make sure your virus definitions are very recent. I don’t know about other vendors, but Symantec just released their sobig.f definition today.

2) Everyone knows not to open attachments with extensions like .exe and .bat. However, Sobig.F uses .pif and .scr as its filename extensions. Don’t open attachments with these names either. And for Pete’s sake, don’t open attachments from people you don’t know. This is not burdensome paranoia – it’s common sense.

3) Cultivate forbearance and cunning. If you’re only getting a few of these messages, you can grin and bear it. If they’re really bugging you, it might be worthwhile to invest some time in setting up filters in your email program to delete these messages automatically, or move them to some other folder. There are only a half-dozen or so subject-headings that Sobig.F uses, and there are some other characteristics all infected emails will share, such as the presence of an attachment and certain text in the body.

If you want to know more, find a removal tool, etc., you can consult this excellent information page from Symantec or this from Sophos. Lots more details there.

7 Comments

  1. Mark Nottingham

    August 20, 2003 @ 12:38 pm

    1

    Thanks – this was very helpful.

    [[[Everyone knows not to open attachments with extensions like .exe and .bat. However, Sobig.F uses .pif and .scr as its filename extensions. Don’t open attachments with these names either.]]]

    This should be qualified with “If you use Microsoft Windows,…” The whole world doesn’t use it (yet).

  2. Dan Lyke

    August 20, 2003 @ 12:53 pm

    2

    It’s interesting to watch the spread of viruses. I don’t use Windows for my email, so I haven’t been infected by any of the big ones, but I’ll notice that I get hit hard by things like the “I love you” virus, but I’ve only seen the Harvard bloggers complaining about this one.

    So, anyone out there want to do a study about which sorts of people are susceptible to which sorts of text to get you to open the virus payload? What do AOL users fall for versus what academics fall for versus what lawyer’s offices fall for?

  3. Ernie Oporto

    August 20, 2003 @ 1:13 pm

    3

    I strongly recommend the “don’t open attachments from people you don’t know” advise. It makes the biggest difference. I never get viruses because of it, but I see people that don’t follow that rule are always opening attachments. Keeping the Preview Pane active in Outlook is also bad bad bad.

    To prevent address harvesting from web pages, it would be good to have a sugarplum link to something like WPoison which the screen scraping scripts will get stuck in. Check out http://www.monkeys.com/wpoison/ and http://www.shokk.com/cgi-bin/wpoison.pl.

  4. Hoops MacCann

    August 21, 2003 @ 2:31 am

    4

    By setting up about six rules fo rmy incoming mail, I was able to delete the mail off the webserver before I used my email client to download check email. Seems to be working okay, so far.

  5. Jesse Ross

    August 21, 2003 @ 12:49 pm

    5

    Rules are definitely the most useful way to deal with this. Hoops, I like the idea of doing it on the server-side. Since Sobig.F emails have a very definite, identifiable set of characteristics, this could be done system-wide, rather than have every user duplicate essentially the same ruleset on their own machines. Procmail comes to mind as a free way to do this.

    And it’s definitely worth noting that Sobig.F doesn’t affect Mac or Linux or anything else (although who knows what would happen if you ran it in WINE or some Mac Windows emulatro).

    We love free software here at the Berkman Center, but this problem is bigger than security holes in Windows. As I understand it, Microsoft software does tend on the whole to be less secure than software libre, but the reason we see viruses specializing in Windows is that there are so many more Windows machines out there in the world. No programmer or set of programmers can achieve perfection, and there are security holes in Linux too – at least once a week I have to patch some Linux program.

    But there are definitely plenty of people who administer software-libre machines and don’t install patches, just like there are people who administer Windows machines and don’t bother patching. Especially those cursed home users! 🙂 If everyone started using Linux or GNU or BSD or whatever, two things would happen. First, software libre systems would become more attractive targets for virus programmers, and all their evil genius would go into battering at free prgorams. Second, the viruses and worms that infect these systems would have a much richer ecosystem to exploit – there’s no reason in theory why a free software worm couldn’t be just as bad as Blaster, or a free-software virus just as bad as Sobig.F. For instance, the 1988 “Great Worm” crippled the internet for a while, long before Microsoft had bothered implementing TCP/IP.

  6. Sofia

    August 24, 2005 @ 12:22 pm

    6

    Thank you for the info. http://www.bignews.com

  7. Used Cellular Phone

    September 10, 2005 @ 10:10 am

    7

    Cellular Phone Battery

Log in