I'll admit it, like most of the antivirus community, I'm obsessed with the prospect of a new and improved Sobig worm arriving within the next few days or weeks. We now have a pretty good idea how Sobig.f, the most recent variation, operates. We know that the author (assuming this is the work of a single individual) has consistently improved Sobig over the course of its six iterations.

But we still don't know what the author is up to. Personally, I don't think he or she wants to take down the Internet. Rather, whoever is responsible for Sobig wants nothing less than to control the Net.

The story thus far
The Sobig worm first appeared in January 2003. It employed seemingly innocuous, common subject lines to entice people to open infected e-mail messages and thus spread itself across the Net.

Whoever is responsible for Sobig wants nothing less than to control the Net.

The current variation started with an account on Easynews, a Phoenix-based ISP, from which a file containing the original infection was uploaded to a porn site. However, it turns out that the Canadian PC used to open that Easynews account was itself compromised. Furthermore, the credit card used to open the account was stolen.

Ever since Sobig first appeared, each subsequent version has had an expiration date; the worm simply stops working after a preset date. This allows the author to fix any flaws and release an updated version soon thereafter.

For example, we now know that each successive Sobig version has significantly improved the worm's delivery system. The component of the Sobig worm that spread by e-mail is just one part of it. The second part must be downloaded from another source. An early Sobig variation tried to contact one Internet address to do the downloading--and that site was promptly shut down.

However, within Sobig.f, researchers found the addresses of 20 compromised home-based PCs from which Sobig-infected systems worldwide would solicit these additional instructions. Prior to 1900 Universal time on Friday, August 15--the time infected systems were expected to download the worm's second component--the sites contained no code or URLs. The author was, presumably, intending to feed these sites with updated code just moments before the August 15 deadline.

Law enforcement involved
As it happened, antivirus researchers gave their Sobig.f information to appropriate law-enforcement agencies in advance of this second part of the infection. As a result, 18 of the 20 PCs were shut down and one was unresponsive when the bewitching hour arrived. One PC did communicate with the thousands of Sobig-infected PCs worldwide, but it quickly became overwhelmed. It also contained only a porn site's URL, not the malicious code some had predicted.

Had everything gone as the author intended, all of the Sobig-infected PCs around the world would have contacted one of these 20 systems, which in turn might have pointed the infected PC to yet another system, one that might provide malicious code or instructions to attack a specific Web site.

Like any criminal hacker, Sobig's author has been patiently planning these releases.

Sobig.g, what we expect the next varation will be called, may well benefit from this experience and be craftier and more dangerous. It may use better encryption, and may point to, say, 100 addresses in different countries, making it much harder to shut them all down should they be discovered prematurely. And if there was a feature in Sobig.f that allowed the author to change the list of 20 IP addresses at the very last minute, that feature failed; it might be fixed in Sobig.g.

Like any criminal hacker, Sobig's author has been patiently planning these releases: building a network of compromised PCs, relying on stolen identities, and going to great lengths to hide his or her true intentions.

Unlike MSBlast, which announced its intention to shut down the Windows Update site days in advance of the actual attack, Sobig.f hid its plans within an encrypted portion of the viral code. Antivirus researchers were able to crack that encryption--but did so just hours before the second part of the infection was to strike.

Then again, maybe we're wrong about the intent. Instead of launching a denial-of-service attack or something malicious, perhaps the author intends to establish a very large proxy network. Such a network of computers worldwide would allow someone to send bulk e-mail anonymously--and would be worth real money to whoever created it. Under this scenario, instead of bringing down the Internet, as some predicted would happen on August 15, perhaps Sobig will merely contribute to its slow and painful demise under a sea of unwanted e-mail.

I've been asked if people are shying away from online purchases or generally not using their computers because of Sobig. I've seen no evidence of that. Whatever the intent of Sobig, if we each install and maintain our antivirus software and install a personal firewall, we won't see the exponential e-mail congestion occur again in the future. And the Internet will once again become a friendlier place.

What do you think? Were you affected by Sobig.f? Are you prepared for Sobig.g? TalkBack to me.