May traditionally marks the beginning of what I call the virus season, which lasts until August or September, coinciding more or less with the traditional summer break at most high schools and colleges. For example, this past week marked the fifth anniversary of the I Love You virus. So the appearance of
Sober.p didn't really surprise me; what did, however, is that this is the 16th variation of Sober, not something original and new (like I Love You). "Historically," writes Mikko Hypponen, director of antivirus research at F-Secure, in a recent blog, "Sober variants have often made a pretty big hit, especially in central Europe. We'll see what happens with this one." So, half a world away, as my e-mail server ground to a crawl, overloaded with Sober.p, it got me thinking: Why
this particular virus? Why keep hacking away at some modestly disruptive viral code instead of producing something new?
In recent years, we've seen full-on attacks from e-mail viruses such as Sober and
Sobig, and backdoor Trojan horse-carrying worms such as MSBlast and Sasser. E-mail viruses should be virtually extinct, right? We all know not to open attached e-mail files and to always keep our antivirus apps updated, right? And worms, they should be stopped at your personal firewall, right? Well, it's not that simple. The most successful e-mail viruses have long relied on social engineering, and in this case, e-mail promising World Cup Soccer tickets (for German speakers) or implying that your e-mail didn't go through (for English speakers) was enough for Sober to break through and cause worldwide e-mail headaches last week.
The why of e-mail viruses: $$$
Not long ago, e-mail viruses were essentially dead. I said as much in
August of 2003. Then spammers seized upon their hidden value: active e-mail addresses. Active e-mail addresses are worth good money to spammers, who previously bought and traded discs of addresses, most of which were horribly out of date. A successful new virus, on the other hand, could automatically harvest hundreds of thousands of active e-mail addresses in only a matter of hours.
There's no definitive proof that the author of Sobig worked under the employ of spammers, but when a virus steadily improves over time, it suggests that someone was perfecting harvesting skills.
 |  |
|
There's no definitive proof that the author of
Sobig worked under the employ of spammers, but when a virus steadily improves over time, it suggests that someone was perfecting harvesting skills. Sobig wasn't merely the by-product of a geeky ego trip; this was business. The same could be said of Sober, a relatively minor virus, except that now it's managed to clog up e-mail servers worldwide.
The worm writers' agenda: $$$
Worms, on the hand, are useful for building
botnets, which are "0wn3d" computers, unprotected computers in homes and offices worldwide compromised with secret backdoor Trojans remotely controlled by a few people. Botnets, like active e-mail addresses, have economic value. They can be bought, traded, or sold. By cobbling together a botnet of, say, 10,000 owned computers worldwide, you could then sell control to someone else who'll use it to shut down a midsize e-commerce site, unless that site pays out protection money. Such extortion has already occurred.
TCP, one of the main protocols used on the Internet, uses a three-way handshake to connect your browser to the Web site you want. Your browser initiates the process by sending a Syn data packet to synchronize and establish communication with the server hosting the Web site you want to visit; the Web server then sends back an Ack packet in acknowledgement of having received the Syn packet, and, finally, your browser returns an Ack packet to the server opening the connection. In a distributed denial-of-service (DDoS) attack, however, those 10,000 owned computers in a botnet all try to connect to one specific site at once, then keep trying to connect--before the site can acknowledge the original request, creating a Syn flood. Pretty soon the e-commerce site is so busy trying to acknowledge all the requests, which remain open for several long seconds, that no new requests can be processed. You'll see a 404 error on your browser instead, and the site, unable to service users, starts to lose money.
In 2004, the original MyDoom worm attempted to shut down Microsoft's Windows Update site (the site was moved before the appointed hour); however, subsequent MyDoom worms successfully shut down SCO Linux and several peer-to-peer music networks. Online betting sites have been targeted for extortion prior to World Cup soccer finals or American football or baseball play-off games. Numerous mom-and-pop e-commerce sites have also been victimized, some of which just pay and don't even bother to report the extortion.
Virus writers now legit or underground
I think the really good virus writers, the creative ones who challenged the antivirus community with innovative ways of stealing control of a remote computer, have turned their attention elsewhere. There was a definite lull in virus activity during 2003, and I think that period marked a clear transition from random pranksters writing code to dedicated professional virus writers. Virus writers without a criminal record have since taken lucrative security jobs or have simply gone underground, still writing code for each other. A few, though, appear to be getting paid to tweak the latest variation of MyDoom and perhaps Sober.
|
There was a definite lull in virus activity during 2003, and I think that period marked a clear transition from random pranksters writing code to dedicated professional virus writers.
| |
|
I say this because when I first started writing about computer viruses back in 1999, there was a new type of virus hitting every week or so. Now, original viruses--Sober, Netsky, MyDoom, Sobig--occur infrequently, and even then resurface ad nauseam as variations on a theme. But virus writers may be tripping themselves up with this approach. Where original viruses are unique, repeat viruses give law enforcement more clues about their author or authors. Coding is somewhat like a fingerprint, with certain programming tics or embedded comments identifying individuals.
Now that the hobbyists have left the virus-writing arena and the criminals (interested in making money) have started taking over, law enforcement, relying on traditional patterns of criminology, should be able to arrest those responsible. Until then, however, get ready for a few more iterations of Sober, MyDoom, and perhaps even Sobig. Virus season 2005 has just begun.
Were you inconvenienced by Sober in the last week? Why or why not? Talk back to me.
