Forwarded from: Richard C. <richardat_private> http://www.signonsandiego.com/news/uniontrib/tue/business/news_1b26virus.html By John Markoff NEW YORK TIMES NEWS SERVICE August 26, 2003 SAN FRANCISCO ? Computer security experts and law enforcement officials are struggling to understand the motives of a mysterious software author who appears intent on prying open many of the electronic locks on the Internet. The malicious program known as SoBig, which is transmitted as an e-mail attachment and then resends itself widely via the Internet, is actually the sixth variant in an experiment by an unknown attacker. During the past eight months the author or authors have persistently tried to implant a range of secret tools for stealing information and sending unsolicited commercial e-mail messages, or spam, according to security experts. One possibility now being discussed is that the program is an attempt to create software engines for sending spam by using unprotected computers that have been surreptitiously commandeered by the virus. Access to such computers could then be sold to e-mail marketing companies. "I think the motivation is clear. It's money," said Mikko H. Hypponen, director of anti-virus research at F-Secure, an anti-virus firm based in Helsinki, Finland, which is decoding the illicit program. "Behind SoBig we have a group of hackers who have a budget and money." Whatever the motive, the writer of the rogue program appears to be engaged in a dark game with anti-virus companies, repeatedly eluding their defenses with ever-more virulent adaptations. In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding program. "You can liken this guy to Lex Luthor and we're all Supermen," said Russ Cooper, a computer security expert at Trusecure, based in Herndon, Va. "Luckily, we've been able to get the kryptonite from around our necks each time so far." Law enforcement officials and security experts said yesterday they did not know the identity of the attacker, but expected that there would be a new variant of the experiment, possibly as soon as next month. The current version of the program, labeled Sobig.F, is scheduled to expire on Sept. 10 and defenders are bracing for a new onslaught shortly afterward. "We don't have any technical reason to expect a follow-on, but given the past history it is reasonable to assume there will be more," said Brian King, an Internet security analyst at the Computer Emergency Response Team Coordination Center at Carnegie Mellon University in Pittsburgh. There is no shortage of theory and speculation among the software defenders who have been attempting to combat the program. The most frequently heard speculation is that Sobig is the work of an e-mail spammer who is aggressively trying to build a clandestine infrastructure for blitzing the Internet with junk e-mail. "If machines remain infected they could be used in any kind of attack," said Joe Hartmann, director of North American anti-virus research for Trend Micro, an anti-virus software firm headquartered in Tokyo. "The question we ask ourselves is what is he trying to achieve? We don't think it's planned for specific threat. Rather its more likely a money-making spam scheme." Several computer security researchers said they had seen some hints that the program's author might have a strategy for profiting from the virus. "There is some evidence that he's been tied in with spammers," said Bruce Hughes, director of malicious-code research at Trusecure. Although many companies routinely blacklist the Internet address from which spam is sent, a strategy that used computers that had been commandeered by the SoBig program would be almost impossible to defeat. As a general definition, viruses are programs that travel by attaching themselves to a file or document, while worms are self-propelled, moving from computer to computer by some means. The SoBig program, which has attributes of both a virus and a worm, is a striking contrast to the Blaster worm, which appeared this month to exploit a vulnerability in Microsoft's Windows operating system. SoBig and its variants take advantage of human gullibility. The program only spreads further when a computer user clicks on the attached program, which then secretly mails itself to e-mail addresses on the user's computer. In that respect, SoBig's variants have acted more like mutant cells in a cancer than a virus, say computer security experts. After growing explosively after it was first detected on Aug. 19, researchers said SoBig.F had begun to stabilize. "We're now seeing about one in 50 e-mails infected, down from a peak of one in 17," said Brian Czarny, marketing director of MessageLabs, a London-based firm that protects against viruses and spam. One point dramatically underscored by the new SoBig variant is that computer users are still ignorant about the consequences of blithely clicking attachments sent by either friends or strangers via the Internet. The program has forced security experts to revise their advice to computer users, millions of whom routinely share documents and programs via e-mail. "Our advice used to be don't open attachments unless you know who it's from," said King, of the CERT Coordination Center. "Our current advice is don't open an attachment unless you are expecting one." Despite the clear potential for catastrophe from a virus like SoBig, not everyone is demoralized. "It is kind of a nightmare," said Hypponen of F-Secure, the antivirus firm. He believes the possibility of commercially exploitation is the reason behind these attacks. And he noted, in this case at least, security experts have a motive to work with. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 28 2003 - 06:15:58 PDT