[ISN] SoBig hacker may have profit motive

From: InfoSec News (isnat_private)
Date: Thu Aug 28 2003 - 00:24:44 PDT

  • Next message: InfoSec News: "[ISN] See How BlackHat Briefings Reflect Industry Changes- - August 27, 2003"

    Forwarded from: Richard C. <richardat_private>
    
    http://www.signonsandiego.com/news/uniontrib/tue/business/news_1b26virus.html
    
    By John Markoff 
    NEW YORK TIMES NEWS SERVICE
    
    August 26, 2003
    
    SAN FRANCISCO ? Computer security experts and law enforcement
    officials are struggling to understand the motives of a mysterious
    software author who appears intent on prying open many of the
    electronic locks on the Internet.
    
    The malicious program known as SoBig, which is transmitted as an
    e-mail attachment and then resends itself widely via the Internet, is
    actually the sixth variant in an experiment by an unknown attacker.
    During the past eight months the author or authors have persistently
    tried to implant a range of secret tools for stealing information and
    sending unsolicited commercial e-mail messages, or spam, according to
    security experts.
    
    One possibility now being discussed is that the program is an attempt
    to create software engines for sending spam by using unprotected
    computers that have been surreptitiously commandeered by the virus.
    Access to such computers could then be sold to e-mail marketing
    companies.
    
    "I think the motivation is clear. It's money," said Mikko H. Hypponen,
    director of anti-virus research at F-Secure, an anti-virus firm based
    in Helsinki, Finland, which is decoding the illicit program. "Behind
    SoBig we have a group of hackers who have a budget and money."
    
    Whatever the motive, the writer of the rogue program appears to be
    engaged in a dark game with anti-virus companies, repeatedly eluding
    their defenses with ever-more virulent adaptations. In the case of
    four of the six programs, a new version was launched immediately after
    the self-timed expiration date of the preceding program.
    
    "You can liken this guy to Lex Luthor and we're all Supermen," said
    Russ Cooper, a computer security expert at Trusecure, based in
    Herndon, Va.  "Luckily, we've been able to get the kryptonite from
    around our necks each time so far."
    
    Law enforcement officials and security experts said yesterday they did
    not know the identity of the attacker, but expected that there would
    be a new variant of the experiment, possibly as soon as next month.
    
    The current version of the program, labeled Sobig.F, is scheduled to
    expire on Sept. 10 and defenders are bracing for a new onslaught
    shortly afterward.
    
    "We don't have any technical reason to expect a follow-on, but given
    the past history it is reasonable to assume there will be more," said
    Brian King, an Internet security analyst at the Computer Emergency
    Response Team Coordination Center at Carnegie Mellon University in
    Pittsburgh.
    
    There is no shortage of theory and speculation among the software
    defenders who have been attempting to combat the program. The most
    frequently heard speculation is that Sobig is the work of an e-mail
    spammer who is aggressively trying to build a clandestine
    infrastructure for blitzing the Internet with junk e-mail.
    
    "If machines remain infected they could be used in any kind of
    attack," said Joe Hartmann, director of North American anti-virus
    research for Trend Micro, an anti-virus software firm headquartered in
    Tokyo. "The question we ask ourselves is what is he trying to achieve?
    We don't think it's planned for specific threat. Rather its more
    likely a money-making spam scheme."
    
    Several computer security researchers said they had seen some hints
    that the program's author might have a strategy for profiting from the
    virus.
    
    "There is some evidence that he's been tied in with spammers," said
    Bruce Hughes, director of malicious-code research at Trusecure.
    Although many companies routinely blacklist the Internet address from
    which spam is sent, a strategy that used computers that had been
    commandeered by the SoBig program would be almost impossible to
    defeat.
    
    As a general definition, viruses are programs that travel by attaching
    themselves to a file or document, while worms are self-propelled,
    moving from computer to computer by some means.
    
    The SoBig program, which has attributes of both a virus and a worm, is
    a striking contrast to the Blaster worm, which appeared this month to
    exploit a vulnerability in Microsoft's Windows operating system.
    
    SoBig and its variants take advantage of human gullibility. The
    program only spreads further when a computer user clicks on the
    attached program, which then secretly mails itself to e-mail addresses
    on the user's computer. In that respect, SoBig's variants have acted
    more like mutant cells in a cancer than a virus, say computer security
    experts.
    
    After growing explosively after it was first detected on Aug. 19,
    researchers said SoBig.F had begun to stabilize.
    
    "We're now seeing about one in 50 e-mails infected, down from a peak
    of one in 17," said Brian Czarny, marketing director of MessageLabs, a
    London-based firm that protects against viruses and spam.
    
    One point dramatically underscored by the new SoBig variant is that
    computer users are still ignorant about the consequences of blithely
    clicking attachments sent by either friends or strangers via the
    Internet.
    
    The program has forced security experts to revise their advice to
    computer users, millions of whom routinely share documents and
    programs via e-mail.
    
    "Our advice used to be don't open attachments unless you know who it's
    from,"  said King, of the CERT Coordination Center. "Our current
    advice is don't open an attachment unless you are expecting one."
    
    Despite the clear potential for catastrophe from a virus like SoBig,
    not everyone is demoralized.
    
    "It is kind of a nightmare," said Hypponen of F-Secure, the antivirus
    firm. He believes the possibility of commercially exploitation is the
    reason behind these attacks. And he noted, in this case at least,
    security experts have a motive to work with.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 28 2003 - 03:38:10 PDT