SoBig hacker may have profit motive

[InfoSec News <isn () c4i org>]

Forwarded from: Richard C. <richard () gort ucsd edu>

http://www.signonsandiego.com/news/uniontrib/tue/business/news_1b26virus.html

By John Markoff 
NEW YORK TIMES NEWS SERVICE

August 26, 2003

SAN FRANCISCO ? Computer security experts and law enforcement
officials are struggling to understand the motives of a mysterious
software author who appears intent on prying open many of the
electronic locks on the Internet.

The malicious program known as SoBig, which is transmitted as an
e-mail attachment and then resends itself widely via the Internet, is
actually the sixth variant in an experiment by an unknown attacker.
During the past eight months the author or authors have persistently
tried to implant a range of secret tools for stealing information and
sending unsolicited commercial e-mail messages, or spam, according to
security experts.

One possibility now being discussed is that the program is an attempt
to create software engines for sending spam by using unprotected
computers that have been surreptitiously commandeered by the virus.
Access to such computers could then be sold to e-mail marketing
companies.

"I think the motivation is clear. It's money," said Mikko H. Hypponen,
director of anti-virus research at F-Secure, an anti-virus firm based
in Helsinki, Finland, which is decoding the illicit program. "Behind
SoBig we have a group of hackers who have a budget and money."

Whatever the motive, the writer of the rogue program appears to be
engaged in a dark game with anti-virus companies, repeatedly eluding
their defenses with ever-more virulent adaptations. In the case of
four of the six programs, a new version was launched immediately after
the self-timed expiration date of the preceding program.

"You can liken this guy to Lex Luthor and we're all Supermen," said
Russ Cooper, a computer security expert at Trusecure, based in
Herndon, Va.  "Luckily, we've been able to get the kryptonite from
around our necks each time so far."

Law enforcement officials and security experts said yesterday they did
not know the identity of the attacker, but expected that there would
be a new variant of the experiment, possibly as soon as next month.

The current version of the program, labeled Sobig.F, is scheduled to
expire on Sept. 10 and defenders are bracing for a new onslaught
shortly afterward.

"We don't have any technical reason to expect a follow-on, but given
the past history it is reasonable to assume there will be more," said
Brian King, an Internet security analyst at the Computer Emergency
Response Team Coordination Center at Carnegie Mellon University in
Pittsburgh.

There is no shortage of theory and speculation among the software
defenders who have been attempting to combat the program. The most
frequently heard speculation is that Sobig is the work of an e-mail
spammer who is aggressively trying to build a clandestine
infrastructure for blitzing the Internet with junk e-mail.

"If machines remain infected they could be used in any kind of
attack," said Joe Hartmann, director of North American anti-virus
research for Trend Micro, an anti-virus software firm headquartered in
Tokyo. "The question we ask ourselves is what is he trying to achieve?
We don't think it's planned for specific threat. Rather its more
likely a money-making spam scheme."

Several computer security researchers said they had seen some hints
that the program's author might have a strategy for profiting from the
virus.

"There is some evidence that he's been tied in with spammers," said
Bruce Hughes, director of malicious-code research at Trusecure.
Although many companies routinely blacklist the Internet address from
which spam is sent, a strategy that used computers that had been
commandeered by the SoBig program would be almost impossible to
defeat.

As a general definition, viruses are programs that travel by attaching
themselves to a file or document, while worms are self-propelled,
moving from computer to computer by some means.

The SoBig program, which has attributes of both a virus and a worm, is
a striking contrast to the Blaster worm, which appeared this month to
exploit a vulnerability in Microsoft's Windows operating system.

SoBig and its variants take advantage of human gullibility. The
program only spreads further when a computer user clicks on the
attached program, which then secretly mails itself to e-mail addresses
on the user's computer. In that respect, SoBig's variants have acted
more like mutant cells in a cancer than a virus, say computer security
experts.

After growing explosively after it was first detected on Aug. 19,
researchers said SoBig.F had begun to stabilize.

"We're now seeing about one in 50 e-mails infected, down from a peak
of one in 17," said Brian Czarny, marketing director of MessageLabs, a
London-based firm that protects against viruses and spam.

One point dramatically underscored by the new SoBig variant is that
computer users are still ignorant about the consequences of blithely
clicking attachments sent by either friends or strangers via the
Internet.

The program has forced security experts to revise their advice to
computer users, millions of whom routinely share documents and
programs via e-mail.

"Our advice used to be don't open attachments unless you know who it's
from,"  said King, of the CERT Coordination Center. "Our current
advice is don't open an attachment unless you are expecting one."

Despite the clear potential for catastrophe from a virus like SoBig,
not everyone is demoralized.

"It is kind of a nightmare," said Hypponen of F-Secure, the antivirus
firm. He believes the possibility of commercially exploitation is the
reason behind these attacks. And he noted, in this case at least,
security experts have a motive to work with.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.