Heroes Happen Here Launch Events Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »   Install What You Need with Windows Server 2008 Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »   Simplify Big Business IT for Small and Midsize Companies Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »   Q&A with Bob Muglia: Senior VP, Server and Tools Division Bob Muglia, senior vice president, Server and Tools Division, discusses Microsoft's new interoperability principles and the steps the company is taking to increase the openness of its products. »   Q&A with Lutz Ziob, GM of Microsoft Learning Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

Related Articles •Security Begins From Within •Mimail Worm Hits Companies Already on High Alert •Sobig and Klez Continue Notorious Reign •The Pros and Cons of Automatic Updates •Teaching Employees New Security Tricks •A Better Way to Deal With Vulnerabilities

- ITSMWatch Newsletter -

Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Product Watch •WS1000 - 1U Appliance Caches Web Service Traffic •MHZ2 CJ Series - Notebook Drives w/Built-In Encryption •Secure Mail / Secure DOX - Hosted Service Provides E-mail and Data-at-rest Encryption •IP Watcher - Monitors Your Public IP, E-mails You If Changed •Web Performance Suite - Automatically Finds Web Site Capacity more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Verisign Whitepaper: Maximizing Site Visitor Trust Using Extended Validation SSL. Increase confidence on your site and see more conversions. Learn how by downloading this whitepaper.

Sobig 'Carpet Bombs' the Internet
August 21, 2003
By Sharon Gaudin

Sobig-F, which has been causing chaos on corporate networks the past three days, is now being called the fastest spreading virus in the industry's history.

''It was a carpet bombing,'' says Chris Belthoff, a senior security analyst with Lynfield, Mass.-based Sophos Inc., an anti-virus company. ''We're judging this to be the fastest spreading worm ever, even surpassing Klez and LoveBug. This is really just a complete swamping, or inundation, of networks... Companies are having their email systems taken down because of the sheer volume of emails they're getting. It's a slow down, then a slow to a crawl and then just being taken offline.''

Sobig-F, which first appeared this past Monday as the latest member of the malicious Sobig virus family, hit the Internet hard, flooding email servers and inboxes. Corporate networks staggered under the barrage with network access slowing to a crawl, and some email systems being taken temporarily offline to stop the siege.

AOL saw email traffic nearly quardruple yesterday, according to Nicholas Graham, an AOL spokesman. Graham says AOL scans email attachments at the gateway, checking for viruses. On an average day, the ISP scans approximately 11 million attachments. On Wednesday, the staff scanned 40.5 million email attachments and found 23.7 of those to be infected with viruses. Of those, 23.2 million were infected with Sobig-F.

''People are just getting pummeled, either with the virus or with notifications,'' says MJ Shoer, president and chief technology officer of Jenaly Technology Group, Inc., an IT provider and consultant based in Portsmouth, N.H. ''We're just getting beaten on. One of our clients is seeing a 90 percent increase in email messages. In the case of my mailbox, it's close to 70 percent. And I have a firewall, a spam and content filter and anti-virus.''

And Shoer says the virus attack is bringing regular work to a standstill.

''It's rendered IT staffs useless,'' he adds. ''They're just flooded. If there was going to be a rollout or something, it's just not getting done. We're putting off everything that was a high priority.''

Shoer also noted that he talked to an IBM engineer on Wednesday who wasn't able to offer him customer service because his email was down. Security analysts verified IBM's troubles but the company could not be reached for comment and its Web site was unresponsive Wednesday afternoon.

''A lot of corporations and universities had to literally shut down their email networks because of the huge volume of traffic of inbound Sobig emails and bounced email messages,'' says Steve Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio. ''If you're talking about a large corporation -- a Fortune 100 or a Fortune 200 -- and you take down an email system for an hour, it could cost that corporation a million dollars.''

But three different security experts say the Sobig-F assault seems to have peaked yesterday afternoon, when the malicious email was accounting for at least 70 percent of all email flowing around the world. Today, the number is still high but most estimate that it has dropped down into the 60 percent to 70 percent range.

Sophos' Belthoff says the virus, which is a mass-mailing worm that also can spread via network shares, hit the Net so hard so quickly because of the spam-like spreading technique that the author used.

''They carpet bombed the Internet and played the numbers game,'' says Belthoff. ''There were just millions of copies out there hitting the Internet all at the same time. It's a matter of sending out enough copies so that somebody will click on it. When you send out that many, even a small percentage of a response, is going to make for a successful virus.''

But other security analysts say the virus is hitting the Internet so hard because it is building on the impact of its Sobig predecessors.

Sundermeier explains that earlier variants of Sobig have infected computers and then downloaded Trojans to set the machines up to be hidden proxy servers. ''The author has a huge army now for the next seeding,'' he says. ''Every Sobig variant becomes bigger and bigger, and we believe it's because of this army he's building of infected machines.''

Sobig-F is designed to die out on Sep. 10. That's leading many analysts to suspect that the next variant will hit on Sep. 11 or soon after. And if that variant builds on the malicious success of Sobig-F, then the damage could be even worse.

AOL's Graham says they are already planning defenses for the next Sobig attack. ''We're already gearing up for the next variant, Sobig-G, if you will,'' he says.

When the worm arrives via email, it poses as a .pif or .scr file. The sender's address is spoofed. The subject lines used are taken from a list, including 'Re: That movie', 'Re: Wicked screensaver', 'Re: Approved' and 'Your details'.

Tools:

Add itmanagement.earthweb.com to your favorites Add itmanagement.earthweb.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed