SoBig: Worst is Yet to Come

bl8n8r writes "Experts say when vacationers get back to work Monday, Inboxes will unleash the worms worst attacks. Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems. "

Skeptical

[Urthpaw]

This article claims that time wasted will cost businesses tens on millions of dollars. It seems to me that no matter how much spam/virus flooding/crap you get in your inbox, you only do so much work everyday. If you take five extra minutes to clean out your inbox, that's five minutes less of surfing slashdot or screwing around. Deadlines don't change for viruses-- people still have to work as much real work as ever.

Microsoft has serious problems

[Anonymous Coward]

2 worms (DCOM and Welchia) and a virus variant in less than two weeks.

This should tell investors that they are wasting their money.

This should tell companies that they are wasting their money.

Someone, somewhere, will hopefully get a clue.

school's in!

[theflea]

Wait till infected laptops & workstations start moving back into the dorms!

Brain-dead auto-responders...

[ktakki]

So far this week, I've received only seven actual copies of W32/Sobig. However, the number of messages from mailer-daemons and mail server virus scanners has exceeded this by a factor of ten. Some of these rejection messages actually include a copy of the infected .PIF file.

You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.

At best, this is collateral damage. At worst, these rejection messages are actually advertising the IP addresses of infected systems. Should a virus drop a back door payload, this would multiply the damage.

k.

Why deal?

[Glendale2x]

Okay... so it costs time and money to clean these random virus outbreaks from Windows machines. So did the last big virus problem before this, and the one before it, and so on.

Maybe I'm missing something here, but why do businesses and consumers put up with this stuff?

Re:Worst I've seen by FAR

[aridhol]

plus maybe 30 automated msgs saying _I'd_ sent out such nastiness/bloat.

I was getting that, too. I think it generates the return address the same way it sends the to: address. They both come from the user's address book. Because of this, other people get the warnings, not the person who's actually infected. This allows the virus to go undetected longer.

Vacation?

[*weasel]

did a statistically significant portion of the workforce on vacation this week?

that seems like a pretty weak overall premise for an expected resurgence.

now if he said that he expects a steady stream of continued activity into early next month, due to all the people who take vacations throughout august - he might have a point.

but to suggest that these 'vacationers' will unleash the same spam deluge monday that the rest of the unwashed have given us this past week, is a bit shaky.

Re:Cost Benefit Analysis

[TheOtherChimeraTwin]

We've been lucky that these recent worms/viruses that have been basically harmless. (Heck, some here might argue that targeting windowsupdate.com was a good thing!) There has been a lot of side effects that have made them annoying, but no really nasty payloads that destroy people's data. I hope we learn some lessons before a truly evil worm is unleashed.

Even worse...

[cperciva]

You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field.

The situation is even worse than that: Most (all?) of the virus scanners sending me autoreplies correctly identified the virus as being Sobig -- which always uses spoofed source addresses.

Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).

Another brick in the wall

[Gothmolly]

This will be used by countless FUDmasters to con Joe Sixpack into things like:
Accepting DRM/TPCA (otherwise unsigned code can run)
Outlawing P2P
Port filtering by ISPs
Accepting blind AutoUpdates
[US]Cheering on the Patriot Act[/US]
'outlawing' Spam

All in the name of 'security'. Insert obligatory Franklin quote: Those who would trade freedom for security will lose both, and deserve neither.

Read between the lines

[Rosco P. Coltrane]

Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems rather than the destruction of files or the opening of files to outsiders on the Internet, which can be problems with many computer viruses. Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine.

And who is Marc Sunner? he's the CTO of MessageLabs. And what does MessageLabs do, you ask? see for yourself, from the main page at messagelabs.com:

Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security

$500 to $1000 to clean up each infected machine? Right, whatever Marc. And it's obvious you don't have *any* interest in propagating that baloney too. (on second thought, if you hire me to clean your machines, I'll do 5% discount off that price).

Another fine impartial article reposted by Slashdot. (By the way, the word you're looking for is "advertising") ...

The Slashdot story missed the interesting part...

[raehl]

According to the article, since SoBig is much more successful against servers that do not have very good spam filters, the excessive SoBig traffic has prevented a lot of spam from being sent since it's eating up the bandwidth usually used by spammers. I'll have to admit that while I've had a LOT of SoBig spam, I have seen a decrease in other spam over the past few days.

So is that the solution to spam? Maybe someone should write a worm that always has the same payload so it can be easily filtered. We never have to see the fake spam messages, the real spammers won't be able to send harder-to-filter messages, and the server owners of those loose servers will have an incentive to clean up their act with the worm eating up all of their bandwidth.

Actually, extending this, maybe the way to fight open machines is to cause the open machines to send themselves excessive traffic, rendering them fairly useless until their operators fix them, but not negatively impacting the rest of the net.

Re:Cost Benefit Analysis

[BWJones]

That's my plan. Just pull the plug on the Wintel stuff, toss em in the trash and replace them with Macs running OS X. :-)

I was being a little glib there, but it should be pointed out that the labor costs associated with managing all of this crap are pretty serious. Overtime charges, benefits and basic salary for an $74k employee for the last three days are running what? At least $1000k per employee. With eight IT dudes running around fixing all of the Wintel systems that's eight grand worth of new Macs that will have much better uptime and lower costs just from the last three days alone. Now, consider how many of these little virus and worm issues there have been in the past year.

Guess what it is here already.

[ratfynk]

I am recieving sobig shit at a rate of 3 to 4 per friggin' hour right now, and you say it will get worse I am supprised it has not crashed the whole net yet! It is time to isolate Microsoft user from the rest of the net! HA HA HA they are a frigging menace.

how can people fall for it... again

[kubla2000]

What I find discouraging is that the lemmings are falling for it despite this being The Week of Teh Worm.

All the hopeful articles that have sited users claiming a new awareness of the risk of worms and virii seem to be pipe dreams.

Dumb users are dumb users and the more infectuous and persistant the virus, the more networks are going to get hammered. Why oh why aren't all pif, scr, exe, com, and vbs attachments just blocked by the MDA. There is no good reason for allowing an end user the huge complexity of choosing whether or not to click on the latest attachment that's come to them from "the internet".

If the lemmings are getting suckered this week... when every news medium is blathering on about viruses worming their way through nuclear reactors and motor vehicle registration offices, what hope is there for when the attention has settled?

Re:Vacation?

[RollingThunder]

It's more that they will all open their mailboxes, and the previously dormant worms, simultaneously.

The rest of the victims got it in bits and pieces - but the vacationers will unleash it in hourly bursts, as they come into the office.

It'll only be a 10-20% boost, probably, but it'll be the biggest "all in one" boost.

Re:Microsoft has serious problems

[Kenja]

How much do you want to bet that the people getting the clue are not the ones who keep putting unpatched computers on the internet without a firewall? Come on, regardless of the platform thats just asking for it.

Re:Brain-dead auto-responders...

[jrumney]

You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field.

They don't care. The point of those messages is not some public service of informing people that their computers are infected, the point is to advertise the virus software.

Actually, I take that back. I did get one scanner-autoreply today that included full headers, which let me track down the real culprit. But most of them are blatent advertising, I report them as spam to the virus cartel's upstream provider.

Re:Even worse...

[jrumney]

Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).

They don't even need a table. If the domain in the From address doesn't match any of the Received headers, just silently bin the thing. This would also handle heuristic scans which pick up new viruses that aren't in the scanner's database yet.

But I don't think the virus cartel will want to give up their valuable source of free advertising, so I don't expect they will make any such changes.

hardware nat/firewall?

[whorfin]

Would it be a good idea to have consumer pc boxes equipped with cheap builtin hardware firewall/nat?

It could, of course, be turned off by corporate IT folk who don't want to have it, or by the intrepid home user who knows what they are doing, but for the unwashed masses, would just 'be there'.

Anyway, would this provide any actual protection? And could it pass the UI test for the standard user?

Re:PIF

[biggj]

I haven't used Outlook in a while, so correct me if I am wrong, but doesn't Outlook auto open attachments when the user is using the preview pane?

Re:Cost Benefit Analysis

[Anonymous Coward]

Vacationers?

What vacation or holiday is this...?!

Re:Cost Benefit Analysis

[jafac]

Well, just look at how the human race has handled HIV infection.

In order to make sure big pharmaceutical company CEOs can keep adding to their personal antique sports car collections, we allow the virus to multiply and infect millions daily.

Instead of carpet bombing the 3rd world with free condoms and cheap generic drugs. But that's no profitable.

Hold M$ Accountable!!!

[gsperling]

With the MSBlast worm running rampant right next to the recent re-release of the SoBig virus, it's hard not to be involved in the removal and sanitization of a computer system, especially for the majority of /. readers and participants.

Face it, most of us are in a technical position of some sort, and are looked upon for assistance because of the knowledge we possess.

My question is this: Who pays for our time? Is YOUR company expected to "eat" the costs of paying you for your time to sanitize their network from this malicious traversing code? Should it be the company's fault for utilizing software so prone to public vulnerabilities? Should the creators of the vulnerable software be held liable and accountable for their obvious flaws? Of course, tracking down the creators of the viruses is left up to the law enforcement officials and the persons charged with solving crimes. But, the viruses would not have existed if the vulnerabilities did not exist and were not exploited accordingly.

I understand that the Glock company cannot be held accountable if some person used their weapon to terminate somebody's life. However, in the act of homicide, there is a definitive exchange of decisions. In the case of the virus, the infected party neither intended to receive the virus, nor wanted the problems associated.

Re:Cost Benefit Analysis

[Frymaster]

f they had done their job properly in the first place, they wouldn't have to fix anything at all.

does "doing their job properly" include preventing end-users from touching the keyboards? let's face it, the network that remains unused always stays in a stable, functioning state. put users on it and then things go wrong.

Mac Users = Naive

[Anonymous Coward]

was being a little glib there, but it should be pointed out that the labor costs associated with managing all of this crap are pretty serious. Overtime charges, benefits and basic salary for an $74k employee for the last three days are running what? At least $1000k per employee. With eight IT dudes running around fixing all of the Wintel systems that's eight grand worth of new Macs that will have much better uptime and lower costs just from the last three days alone. Now, consider how many of these little virus and worm issues there have been in the past year.

*sigh*. Nobody pays helpdesk people 74k in the US unless they have money to burn. If they do, let me know where I'll stop coding and start working helpdesk. All you need is a level 1 heldesk "dude" who makes about $10 an hour running around with a disk and the fix on it. Never mind if you applied the patch over a network. I have a mixed environment at work of Macs and PC's (and work on both) and the macs are no less crash prone than the PC's.

The only advantage to a mac is you don't have to worry about viruses for it because it's market share is so small no virus writer would be bothered with writing one. It makes more sense to hire a network admin who is halfway decent, updates virus protection etc than to change over to mac. Not to mention the costs involved with retraining people to use a mac.

If everyone followed your plan and switched over, do you really think that you wouldn't see more viruses and worms on the mac? I think mac users are a bit naive to assume they don't get worms/viruses because "mac is better". It's because virus writers for the most part don't know and don't care about mac.

Re:Cost Benefit Analysis

[FedeTXF]

Sure, condoms and generic drugs...

Education is cheaper (in the long run) and it's even useful for other stuff, too.

Re:Speaking of getting a clue

[Anonymous Coward]

You're saying that it's clueless users fault, because they haven't picked up a completely unnatural habit.

Opening attachments is the obvious, most useful thing to do. If people send you an attachment, you should be able to open it without cause for concern, because that's what attachments are for. People use attachments everyday in the course of their work, without doing anything wrong.

But because of deficiencies most email programs - the way they treat attachments - users get blamed instead of the software. This is completely backwards. When it can be done (and it can be here) , software should conform to users' habits, rather than the other way around. That's just common sense.

scary part

[Anonymous Coward]

The scariest part is that CSX is using windows to run the trains.

Re:Skeptical

[nelsonal]

It's basically a month filled with vacations for those in Europe. I don't know why this is but it seems to make as much sense as our spreading them out over the year. Thier businesses run on a skeleton staff or just close for most of the month, from what I've heard. Any industry that is closly related to Europe will probably want to run a little light this month. Finance also seems to take a vacation during the month, I don't know of other regions or industries.

Re:Cost Benefit Analysis

[jonbrewer]

No "IT dudes" worth anything will be "running around fixing" things. If they had done their job properly in the first place, they wouldn't have to fix anything at all.

I don't know what world you're living in, but it isn't the one I'm posting from. You can be a brilliant IT guy who does his job incredibly well, but if a corporation's policies (i.e. waiting until a patch has been regression tested with bespoke applications) have you running around fixing things, it's the CIO that's not "worth anything" and not the "IT dudes".

And, of course, in the case where you're paid $74k/year (as the parent post mentioned), You Do What You're Told, or you quickly lose said salary.

Re:ban unpatched PCs

[Hecubas]

On a somewhat related note, Microsoft gives out software for use on your own servers to act as a mirror of WindowsUpdate. You can configure the clients to automatically connect to that mirror and download updates from there. Look for Software Update Services on their website.

--
hecubas

The law needs to assign responsibility

[exp(pi*sqrt(163))]

We can argue until we're blue in the face about responsibility but frankly it doesn't matter. Make anyone vaguely connected (and catchable) responsible and the problem will be solved. Make MS responsible and they'll tighten up their OSes. Make users responsible for sending viruses from their computers and they'll soon put pressure on MS for better OSes and keep their virus checkers up-to-date. Make the PC vendors responsible and I'm sure we'll get imporvements too. But as it is we have a situation where nobody is held accountable and that means it's simply never going to be fixed.

Re:sad waste of time, effort and money.

[Xerithane]

So why don't you ban M$ computers? Surely, you have better things to do with your time and school money than support Microsoft's broken shit.

Because they are students computers. When you start going to college, you'll understand this.

With the kind of time and resources you have, you could have every one of those computers running Debian in a week. Yes, I imagine one peroson can sit over 3 or 4 hand installs an hour, just like I can. Practice makes perfect and you are sure to get better than that. Oh well, good luck.

College. Students. They don't give a fuck about Linux. Why is it so hard for you to understand that some people like Windows?

Re:Some companies deserve it

[5.11Climber]

If you feel that strongly about it then either do something about the situation or simply quit and go someplace else. You don't contribute anything by making snide comments to people who may not know better. You could help the situation by providing a clear and concise report on the situation with some concrete recommendations on how to correct the problem. They may even put you in charge of the effort.

I too am a contractor to a large company and I feel no compuction about telling the people to whom I report when I see a problem. This normally results in my having to head up the effort that I have identified.

Re:Cost Benefit Analysis

[whovian]

I think the users who aren't paying attention to viruses make it that much harder for those users who do. These users make it possible to leverage the idea of giving away remote root access, effectively. What's to stop Microsoft from bundling a program with this feature with, say, behind/within a whole layer of digital rights management? DRM coming to reality makes it hard for non-Microsoft computer users then.

So basically, MS gets control because users let it be so. Or am I way off on this?

Re:school's in!

[Anonymous Coward]

students maybe, but employees no.. In my opinion, the IT staff is there to support the employees and as I have found in the past, asking people to update/install something on their computer does not work. Especially in a case like this, it is very important to patch every last computer.. the only way you'll do that in a large environment is through automation, lots of scanning, and a plan of attack to get the portable/desktop machines that don't take the automated patches. It is the IT staff's responsibility to do that and not the employees.. employees time is better spent doing their jobs.

Better filters

[unfortunateson]

The points above are well taken: I intend on spiffing up my procmail recipes, but only as I am able to understand them.

The enhancements suggested above are simple to implement, but are still crude band aids. While I doubt I would ever *really* want to receive an executable attachment (heck -- most places won't even let me SEND it, let alone receive it), I might want to

(a) log it
(b) bounce a 'hey stoopid' message back a legit senders to tell them that if they need to send me something, it shouldn't be an executable (that's why god made ZIP)

There are some more complex procmail filters out there that specifically target certain worms. Is that more effective? I don't know. I can't understand them yet. I will soon. None of the procmail FAQs and "getting started" docs describe all those messy flags and things. I've got some more reading to do.

Meanwhile, this one lets me get work done other than downloading and deleting SOBIG messages. A few other worms will slip through, but at least it's manageable.

Re:Sobig not really M$'s fault

[CharlesEGrant]

I find that paying someone else a yearly ransom to secure your system and do maintenance is a real piss off!

Even if you run Linux you still either have to invest the time to follow the security updates and gather the patches yourself, or pay somebody like Red Hat to do it for you. Depending on how much software you have installed, this can be a real time sink. I make ~$30/hr, so I'm happy to pay Red Hat the $15 a year to keep current on patches and fixes. And of course I still have to spend a couple hours a month keeping up with security issues in order to make sure Red Hat isn't screwing up.

The price of security is eternal vigilance, and it's a pain in the neck.