Posted on 11/22/2005 5:33:41 PM PST by Eagle9
A new variation of the long-running Sober worm uses extremely effective tactics to trick users into infecting their PCs, security companies said Tuesday, including posing as messages from the FBI and CIA.
Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and F-Secure -- is spreading rapidly, said security experts, fast enough for vendors to have amplified their threat levels Tuesday. Symantec raised its warning to a "3" in its 1 through 5 scale, the first time since the Zotob outbreak in August that the Cupertino, Calif.-based anti-virus vendor has taken a worm to that threat level.
"The rate of its spread is quite high," said Sam Curry, vice president of Computer Associates’ eTrust security group, who also called the raw number of infections "still relatively low, but growing."
U.K.-based MessageLabs disagreed with the second half of Curry's estimate, however. "The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped nearly 3 million copies of the worm from reaching its customers' inboxes.
Sophos, another U.K.-based anti-virus vendor, said that its tallies showed this Sober now accounting for 61 percent of all malware.
Sober.w is the most recent example of the two-year-old Sober family, and shares important characteristics with other variants, including bilingualism (messages arrive in either English or German), address hijacking, and mass-mailing.
Computer Associates' Curry believes the fast spread is due to better-than-average technical skills. "It's using slightly more effective techniques," said Curry, "including running three separate [SMTP] processes. That's becoming somewhat common, because the more simultaneous processes a worm runs, the more copies it can blitz out."
Others, however, credit the enticing bait dangled by the worm for its success. "I just don't see any technical reason why this has popped," said Alfred Huger, senior director of engineering for Symantec's security response team. Instead, he points to the worm's social engineering tricks, which include posing as a message from the CIA or FBI (English), or the Bundeskriminalamt, the German national police agency most like the FBI (German).
These messages, with spoofed return addresses such as "mail@cia.gov" and "admin@fbi.gov," claim that "We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer.
The FBI, in fact, took the unusual step Tuesday of issuing a statement saying that the messages were bogus. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."
"This variant of Sober may catch out the unwary as they open their e-mail inbox," said Graham Cluley, senior technology consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal websites and click on the unsolicited email attachment."
Sober's creator or creators are unknown, although suspicions have long placed them in Germany. Recently, the Bavarian state police (Bayerisches Landeskriminalamt) predicted the release of a minor Sober variant the next day, leading to conjecture by security analysts that the police may be on the trail of the hackers. No arrests have been made of anyone accused of writing a Sober worm. The FBI urged users who had received the Sober.w worm to report it to the Internet Crime Complaint Center.
W32/Sober Revisited
added November 22, 2005 | updated November 22, 2005
US-CERT is aware of several new variants of the W32/Sober virus that propagate via email. As with many viruses, these variants rely on social engineering to propagate. Specifically, the user must click on a link or open an attached file.
A recent variant sends messages that appear to be from the CIA or FBI, while a German version appears to be coming from the Bundeskriminalamt (BKA), the German Federal police service. US-CERT encourages users to review the appropriate alert below:
FBI ALERTS PUBLIC TO RECENT E-MAIL SCHEME
BKA warnt vor gefälschten E-Mails mit BKA-Absender - Variante des Sober-Wurms
These new variants of the W32/Sober virus identified above share common characteristics listed below. Once infected, the malicious code may:
Although each variant has different functionality, the list below contains a subset of the common characteristics found in previous variants. Once a system is infected, the malicious code may:
US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.
Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. You may also wish to visit the US-CERT Computer Virus Resources.
___________________________________________________________
We continue to receive reports about new Sober variants. Thanks to Chris M. for supplying a very comprehensive list of links (see below). the CME system assigned these variants the ID CME-681.
IMPORTANT: Antivirus software does not provide any reliable protection against current threats. Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless. We do receive reports of up to date versions of AV software missing some of the recent Sober variants.
Sober is now considered the "largest virus outbreak of the year" according to F-Secure (thanks Matthias J. for pointing this out). It looks like the fake FBI e-mails are working for them.
Note from reader Marc R: Please do not have your AV software reply to viruses. All commonly seen viruses use fake 'From:' headers. Rumor has it that fbi.gov is having a hard time keeping up with all the bounces in the first place.
One not of interested: We had another Sober outbreak last year in June, around the same time we had the "Download.ject". Download.Ject (aka Berbew) used a Internet Explorer 0-day exploit to download and install a trojan. A number of well known, trusted, web sites had been compromissed and spread the trojan.
None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to strip ZIP file attachments.
The subjects and the body text vary widely. Many of them suggest that the attachment was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the 'BKA' (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open an attachment to verify account details.
List of Links:
Symantec (Level 3 risk) W32.Sober.X@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html
McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm
Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG
F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml
Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html
Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473
Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0
Imagine getting a message in your email that says, "I'm from the government and I'm here to help you."
How gullible do you have to be?
Caught 335 of these coming into our system in the last 12 hours (and counting!)
I got 4 or 5 emails today with Sober.x attachments. They must be coming from either a customer or a supplier to our company. (The spoofed addresses are from other companies in our industry.) I've been getting the "Here's your password and username" versions of the worm.
Gullah bull vs. gullible. As in gullah bull warning.
I got one from admin@fbi.gov yesterday, saying that "We have logged your IP-address on more than 30 illegal Websites." Oddly, I scanned the attachment for viruses but it came up negative. If it was Sober, it must have been different enough from older versions to fool Norton AV.
I deleted the message in any case without opening the attachment, which I would do with any suspicious attachment.
I just now got one of these while checking my mail. The subject was "Your IP has been logged" from cia.gov - glad I didn't open it.
I never open that stuff.
I am a federal employee and when I got to work this morning, I checked my work email and sure enough, that is exactly the message I got. It had a zip file - but I knew better than to open it - since the message was not addressed to me, specifically. I was worried, too cuz I had logged onto this freerepublic! LOL..... Now I can be at ease.
I have received at least 20 of these e-mails in the past 24 hrs on my home computer....
Unbelievable.
I've never had good luck with Norton. I use EZ Armor. I got 5 or 6 of those emails this morning and EZ Armor alerted me that they were a high level threat. I cleaned my cache, deleted my cookies and my temporary internet files. I don't know if that eliminated whatever it was that was causing me to get the emails, but I haven't gotten one since.
This one seems to be spreading fast. This afternoon our AV system had nabbed over 200 of them, and counting. No infections inside so far.
I've had my main email address for a long time, and I hate to change it. Most spam comes because you have posted in a forum online some time in the past, or have gotten on someone's email list that was sold and got into the public domain.
I'd say it's a good idea to delete the temp internet files fairly often. I don't delete my cookies because some of them have data I need to access sites where I am registered, but I do comb through them once in a while and weed them out.
CT Cookie Spy allows you to easily see what you have and delete what you don't want. And Norton and AdAware deal with most of the malign cookies.
I havent received any on my home computer - so far.
None of those things affect whether you get sent the messages. That's caused by someone else being infected and sending you the email messages.
The infected computer will, therefore belong to somebody that has your email address in their address book. That's where the worm finds addresses to send to.
There was a thread at DU from a guy that really thought the FBI was watching him. Now ~that's~ funny.
Remember when I said "just delete it?"
This is why.
LOL... priceless.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.