The Sobig.f worm that continues to bedevil computer networks around the globe is poised to unleash a new phase of its havoc between 3:00 PM and 6:00 PM Eastern Standard Time on Friday, security experts warned, even though they may have already blunted its intended effect.
Security firm F-Secure Corporation warned on Friday that the Windows e-mail worm Sobig.f, already dubbed the most widespread worm in the world since it began clogging and infecting global computer networks on Tuesday, is planning a new phase of attack to hit on Fridays and Sundays until it is programmed to expire on Sept. 10th.
The worm infected close to one million computers via e-mail attachments in e-mails with spoofed addresses (including a spoofed address owned by the parent company of this publication), experts said. Now, those infected computers are programmed to start to connect to machines found on an encrypted list hidden in the virus body. F-Secure said the list contains the address of 20 computers located in United States, Canada and South Korea and is expected to start at 3:00 EST Friday.
Once the worm infected a machine, it was then programmed to go to one of those 20 Web sites to pull down code to drop it into the infected machine, said Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in Lynfield, Mass. But he said those 20 machines are believed to be offline.
"These 20 machines seem to be typical home PCs, connected to the Internet with always-on DSL connections," said Mikko Hypponen, director of anti-virus research at F-Secure.
"Most likely the party behind Sobig.f has broken into these computers and they are now being misused to be part of this attack."
F-Secure and other experts said the worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a Web address, they said. Infected machines download a program from this address -- and run it. At this moment experts say they are not sure what the program will do.
F-Secure said it has been able to break into this system and crack the encryption, but currently the Web address sent by the servers doesn't go anywhere.
"The developers of the virus know that we could download the program beforehand, analyze it and come up with countermeasures," said Hypponen. "So apparently their plan is to change the Web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."
The Sobig worms come with a three-stage attack, added Ken Dunham, malicious code intelligence manager with Reston, Va.-based iDefense, Inc. The e-mail worm is the first stage, installing a backdoor Trojan is the second stage and then installing a proxy server is the last stage.
"The backdoor is designed to let the attacker steal information," said Dunham. "He could steal password data or the worm could activate a key logger whenever you're doing online banking."
Dunham said if the 20 IPs used in the attack are available and manipulated by the attacker, the attacker can install malicious code of choice on SoBig infected computers connecting to the downloader IP. The code may be anything but has traditionally been a backdoor Trojan (Lala/Hooker) and then a copy of Wingate (proxy server).
"Blocking outbound UDP 8998 activity will successfully block SoBig communications with remote servers hard coded into the code of the worm used for updating itself/installing new code. Additionally, blocking against the NTP server ports may prevent the worm from meeting certain date and time conditions for the secondary and tertiary attacks. Block port 123 and UDP ports 995-999," Dunham explained.
He also suggested that IT administrators block against the Wingate proxy server if found on a computer so that spam cannot be sent through a formerly infected or currently infected computer.
Since it was discovered this week, the Sobig.f variant of the Sobig worm has been called the fastest-spreading worm ever discovered on the Internet, according to numerous online security firms.
F-Secure also said it has been working with officials, authorities and various CERT organizations to disconnect the specific machines from the Internet. "Unfortunately, the writers of this virus have been waiting for this move too," said F-Secure's Hypponen. These 20 machines are chosen from the networks of different operators, making it quite likely that there won't be enough time to take them all down by 3:00 EST (19:00 UTC). Even if just one stays up, it will be enough for the worm, F-Secure said.
F-Secure said the techniques used by the worm make it quite obvious it's not written by a typical teenage virus writer. "Who's behind all this? "Looks like organized crime to me," said Hypponen.