Sobig-F Wins 2003 War Of The Worms

Sophos has revealed that the Sobig-F worm has accounted for almost a fifth of all reports to Sophos during 2003, making it the hardest hitting virus of the year. The mass-mailing Sobig-F worm shrugged off stiff competition for the top spot from the infamous Blaster worm, which attempted to knock a Microsoft website off the internet. Both these viruses – plus the third-placed Nachi worm – hit businesses and home users during August 2003, making it the worst single month in virus history.

The top ten viruses of the year are as follows:

1. W32/Sobig-F (Sobig variant) 19.9%
2. W32/Blaster-A (Blaster worm) 15.1%
3. W32/Nachi-A (Nachi worm) 8.4%
4. W32/Gibe-F (Gibe variant) 7.2%
5. W32/Dumaru-A (Dumaru worm) 6.1%
6. W32/Sober-A (Sober worm) 5.8%
7. W32/Mimail-A (Mimail worm) 4.8%
8. W32/Bugbear-B (Bugbear variant) 3.1%
9. W32/Sobig-E (Sobig variant) 2.9%
10. W32/Klez-H (Klez variant) 1.6%

Others 25.1%

“Sobig-F unquestionably wins the dubious title of ‘Worm of the year’. It spread more ferociously than any virus ever seen before, swamping email inboxes. Some companies reported seeing hundreds of thousands of infected emails every day,” said Graham Cluley, senior technology consultant for Sophos. “Throughout the year, in the run-up to Sobig-F, the worm’s author released new variants of Sobig almost as if he or she were seeing which techniques would be the most successful.”

“Ironically some of the people worst impacted by Sobig-F were the spammers. They found that they could not send their millions of spams as easily because their email gateways were deluged by Sobig traffic. Microsoft has issued a substantial financial reward for evidence leading to the arrest and conviction of Sobig’s author, but we seem to be no closer to identifying him or her,” continued Cluley.

Blaster, the year’s second most prevalent worm, did not use email to distribute itself, but spread like wildfire across the internet, exploiting – to Microsoft’s embarrassment – a critical security hole in versions of Windows. Containing a mocking message for Microsoft’s chairman Bill Gates, it attempted to blast one of Microsoft’s websites off the internet, leading the industry giant to take evasive action. Ironically, the third placed Nachi worm tried to undo the damage done to computers infected by the Blaster worm; in reality it only added to the chaos. Both Blaster and Nachi continue to infect unprotected computers four months later.

Sophos has detected 7,064 new viruses, worms and Trojan horses to date this year, bringing the total protected against to more than 86,000.

Many other virus and spam developments have taken place during 2003. Sophos predicts that the following trends will continue to affect users well into the future:

Spammers find new tricks; disparate legislative approach is a toothless response

Spammers have been adopting complicated techniques to get their messages through scanners, including mixing innocent and bad text and using invalid HTML code or random characters to break up spammy words. New adaptive filtering techniques are combating the problem, and companies are increasingly looking for a consolidated solution which protects against both spam and viruses.

Comprehensive international legislation is needed to discourage those companies considering spam email marketing. Whilst the EU is introducing tough ‘opt in’ spam legislation, the US House of Representative’s new anti-spam law is comparatively lax, placing the responsibility on the recipient to ‘opt out’ and allowing much commercial spam to continue largely unaffected. This has wide reaching consequences on UK businesses as most of the world’s spam originates in the USA.

Continued dominance of Windows 32 viruses in 2003

All of the 2003 top ten viruses are Windows 32 viruses. These only affect Microsoft users, using email or the internet to spread. Motivated by the thought of getting their code to spread as far and wide as possible, virus writers are likely to continue targeting the ubiquitous Microsoft in 2004 and beyond.

More backdoor Trojan horses and RATs detected

Sophos has seen a significant rise in the number of Backdoor Trojans, which open up holes in operating systems enabling hackers to implant Remote Access Tools (RATs). These RATs enable hackers to take remote control of the infected PC. The most prevalent Trojans of 2003 included Graybird, which posed as a patch for a security hole in Microsoft Windows, and Sysbug, which was spammed to thousands of users posing as smutty photographs of an erotic encounter.

Evidence that spammers and virus writers are working in tandem

2003 saw growing evidence that spammers and virus authors are joining forces, with the Mimail-E and Mimail-H worms using infected computers as a launch pad from which to start denial of service attacks on several anti-spam websites. Some Trojan horses, including the new Regate-A and Dmomize-A Trojans, allow spammers to take over third-party computers belonging to innocent parties and use them for sending spam without the users’ knowledge.

Sophos estimates that 30 percent of the world’s spam is sent from compromised computers.

Money makes the worm go around: viruses attempt to defraud computer users

In 2003, virus writers recognised that there was money to be made from their viral code, with several worms attempting to extract financial information from infected users. The most prolific of these was Mimail-J, a worm that disguised itself as a message from the PayPal online payment website and duped users into disclosing confidential credit card and PIN details.

Courts, law enforcement agencies treating cybercrime more seriously

A number of high profile virus writer arrests peppered 2003, with youths apprehended in the USA, UK, Spain, Italy and Romania. Cybercrime is increasingly taking place across national boundaries, and international law enforcement agencies have responded by working together to bring virus writers and hackers to book. Businesses got tough on virus writers too, with Microsoft offering a reward fund of $5 million to encourage their capture.

Virus hoaxes continue to cause confusion

The JDBGMGR virus hoax – an email duping users into deleting a legitimate file from their PCs – was, for the second year running, the most widely reported hoax. Although not viral, hoaxes waste bandwidth, clog up mail servers and confuse users, much in the same way as true viruses.

Don't miss