Sobig: Spam, Virus Or Both?

The quick spread of the recent Sobig.C virus may owe more to the advances in spamming techniques than to the skill of an anonymous virus writer, according to a leading antivirus company.

An analysis of e-mail messages containing the new worm variant by Russian antivirus company Kaspersky Labs revealed what appears to be a distribution pattern more akin to spam e-mail than a fast-spreading virus, according to Denis Zenkin, head of corporate communications at Kaspersky in Moscow.

Like the original Sobig virus, Sobig.C is a mass-mailing worm that spreads copies of itself through e-mail messages with attached files that contain the virus code.

The new variant was first detected late last Friday and spread quickly across multiple countries in the hours after it first appeared, according to a statement by Helsinki security company F-Secure Corp.

"It looks like the virus writer enhanced the virus' replication with spam technology to achieve greater spreading speed and global distribution," Zenkin said.

E-mail that is generated by a worm can typically be traced back to another infected machine, Zenkin said.

With the recent Sobig.C virus, however, Kaspersky researchers found that the machines responsible for distributing the virus were not infected with Sobig, leading Kaspersky researchers to theorise that they were "open proxy" machines used by spammers to conduct massive e-mail distributions, Zenkin said.

Open proxies are loosely managed machines connected to the Internet and open to trespass by outsiders. They are often home computers connected to the Internet using "always-on" DSL (Digital Subscriber Line) or cable modem connections, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs in New York.

Without the initial spamming of Sobig.C e-mail, it is doubtful that the virus would have spread as quickly, Zenkin said.

While the virus has features that can grab e-mail addresses from files stored on infected machines, for example, lists of destination addresses for use by spammers are easily available online and could be used to "seed" the new virus to millions of machines at once, he said.

There is a "high likelihood" that Sobig.C used a spam engine to spread, Sunner said. The initial appearance of Sobig was unusual for viruses, spiking over the weekend and then quickly dying off, he said.

"It's certainly plausible that the virus writers may have kick-started replication with spamming techniques," said Chris Belthoff, senior security analyst at Sophos PLC.

However, spam is not the only way the virus spreads, he said.

"We're absolutely certain that the virus does replicate. We have reported cases of the virus replicating," Belthoff said.

Sophos did not analyse the source of the Sobig.C e-mail samples it received, but it is not uncommon for virus writers to launch their creations with massive e-mail distributions, Belthoff said.

The virus writer may have contracted with a spammer to distribute the e-mail or taken advantage of an open proxy that had been left vulnerable by another virus, Zenkin said. A more likely scenario is that the virus writer is also an active spammer, he said.

While its initial distribution was atypically large, the Sobig.C virus outbreak is just the latest example of the convergence of spam and viruses, with spammers using open proxies as mini e-mail servers, according to Sunner.

"Sixty per cent of the spam e-mail we get is coming from open proxies. Spammers are using always-on (Internet) connections to give them an almost infinite number of IP addresses to send their mail from," Sunner said.

Which raises the question of whether Sobig.C is better described as spam or as a virus.

"It's a very sensitive question," Zenkin said.

He prefers to talk about Sobig.C as a virus with two separate spreading techniques: One based in the virus' worm code and the other being spam distribution technology used by the author to seed the new virus.

Security experts did agree that computer users should be ready for a new version of the Sobig virus this weekend.

The Sobig.C variant is programmed to expire on June 8 and Sobig.C was released on the same day that its predecessor, Sobig.B, was programmed to stop spreading.

The serial releases may be an effort by the Sobig author to fool antivirus software by subtly altering the makeup of the virus. Alternatively, the author could be releasing "proof of concept" viruses, testing the success of different viruses depending on when and how they are distributed, according to Sunner and Belthoff.

Copyright © 2003 IDG Communications, Inc.

The 10 most powerful cybersecurity companies