SoBig: Worst is Yet to Come

bl8n8r writes "Experts say when vacationers get back to work Monday, Inboxes will unleash the worms worst attacks. Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems. "

Worst I've seen by FAR

[redelm]

I can just echo the comments made in the media.
SoBig is the worst email virus I've seen -- BY FAR.

Normally, I get about 30 spams per day and a few viruses. Not much harm to a Linux system running `mutt` as an MUA!. Yesterday, I received about 150 SoBig, plus maybe 30 automated msgs saying _I'd_ sent out such nastiness/bloat.

Ouch!

[Shadow2097]

I've been dealing with literally thousands of emails coming into my office just today! The sales people are having a running contest to see who gets the most infected emails every hour. So far the winners are usually at ~150/hour.

Normally we don't block emails with specific attachments at our post office because it takes too long to scan them. Our company of 100 people averages 14,000 legit email per day in and out, but with this outbreak as bad as it is (and not peaked yet!) the blocking is being instated tonight.

While musing with a programmer here who just moved her daughter into college, we brought up an interesting thought: Hundreds of thousands of college kids are moving back into dorms with huge fat pipes and Outlook style email clients on computers that haven't been patched since April or May. Yikes!

-Shadow

Doubtful...

[gearmonger]

...for two reasons: IT staff will have had just that many more days to upgrade safety systems, and there are actually fewer people on vacation (at least here in the US) this week of the year than last week. So, the worst is likely behind us...not that the coming weeks will be a picnic.

Re:Cost Benefit Analysis

[stinkwinkerton]

I'm not sure if this should be +5 funny. It is a real option for some users.

I have known many people that actually know they have a virus on their computer and don't make it the first priority in using their systems... if it is usable by them, they don't care.

Of course, this sort of person doesn't have the slightest understanding (or care) that their system is causing a variety of problems on other systems.

They only seem to care if it is causing THEM some problem.

I've long since given up trying to explain what is going on to these folks or the urgency of solving their own virus problem in a timely manner. I make sure that their system is as up-to-date as possible and make sure their virus protection software automatically updates as frequently as possible.

And, recently, these are the folks that I have broken my long standing rule on, and configured "Windows to update automatically" and not wait for the user to OK it.

Re:Brain-dead auto-responders...

[slagdogg]

I like it when they include the pif in the return message, that way SpamAssassin files it away in my spam folder ... without the pif it's seen (rightfully) as a legitimate message.

Re:Worst I've seen by FAR

[Anonymous Coward]

I swear I have had more than 500 e-mails with the sobig.f, Not only from entirely random people across the internet but MY OWN OTHER EMAIL address! It's a hotmail so obviously its just spoofing somewhere.

I don't know how much longer I can take these things. I can't block them because they come back as "bounced messages" due to my inbox being full but it still sends the infected file! If I block it, then I wont ever know if a legitimate bounced message reaches to me...

$500 - $1000

[scrotch]

"Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine."

How much does Windows cost?

I know it's not really Microsoft's fault, since they had a patch and it's not their fault that people try to get email and stuff... But my users are rather annoyed. We all run Macs and either Mac OS X or FreeBSD servers so we're not vulnerable to this virus, but it's getting annoying just deleting the things. I can't imagine having to worry about getting infected on top of having to run Windows :)

We got almost all of ours (150 to 5 addresses) from one local government office. I emailed them when we narrowed down what machine they were coming from and the flow has stopped. We didn't get a Thank You or anything, but maybe our little government office doesn't want to publicly admit to running insecure systems.

I wonder if this $500 - $1000 per computer will be in the budget next year.

Re:Worst I've seen by FAR

[flakac]

Actually, the thing that bugs me most about most of the automatically generated virus warnings that I'm seeing is that they almost never provide info on the originating IP address. If I at least have that, I can try to warn people if I recognize a particular address...

Save procmail recipe

[Frodo Looijaard]

The following should be a safe procmail recipe that only matches the virus, and nothing else:

:0B:
* ^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA$
virus

NB: This may not be rendered correctly; there should be no space in the string of A letters.

The idea is courtesy from the macosx forum [macosxhints.com]

Re:school's in!

[Skweetis]

Not funny. They've started coming back already, and our dorm subnets are crawling with msblast. I filtered port 135 and 444 ingress and egress at the building routers, but we still (no joke) have around 95% infection rate. I'm assuming the other 5% are CS students with Linux boxes and a few old Win98 systems.

I'm just dreading Saturday when the majority of them show up, it's only 200 students now and the technicians can't keep up.

It's been abating in my corner of the internet

[zenyu]

My ping times to www.mit.edu (my personal benchmark, as its on the next POP over and always up) are normally 25ms from home, they grew slowly from about 30 ms Monday morning to as high as 2600 ms yesterday with 2/3 packet drop. But today and especially in the last few hours it's fallen back to about 29 ms with 1/3 packet drop.

There are still occasional storms, I guess as a new host gets infected nearby. But things are good compared to the last two days when I couldn't even listen to internet radio and plain old web browsing and e-mail were slow...

BTW I haven't seen any of the e-mails myself do to our spam filter but I have gotten some returned e-mail the virus sent and a non-tech friend who got this one and another friend (who's very non-tech) got last weeks virus. I usually don't personally know the people who get these things, it has been a good week for discussing an OS upgrade to Linux with non-techies ;)

RPC Patch

[Jucius Maximus]

Please keep in mind that the Microsoft RPC patch and most virus signature updates designed to combat the MSBlaster worm worm will not protect against Sobig.F.

Just a few hours ago I cleaned sobig.F from one machine that was already patched in our 'MSBlaster Clean-sweep' and discovered this.

SoBig ... So Annoying

[Tsu Dho Nimh]

I dump any emails over 100K from one account right to /dev/null, which is enough to be dumping almost all viruses. Checking the logs, I've a hundred or so already.

More annoying than the worm are all the "You are infected" warnings coming from clueless virus software. They make it through the spam filters.

Re:Cost Benefit Analysis

[shepd]

>I've long since given up trying to explain what is going on to these folks or the urgency of solving their own virus problem in a timely manner.

Try this one:

"Some these viruses have been known to attmempt to destroy the computers of various military installations. The penalty in many countries for this is death. The penalty in YOUR country is a federal jail term. You may want to consider purchasing a $60 upgrade to your computer to help you avoid this problem in the future."

Re:SoNice.ToSee.YouBack

[moxomillion]

With all the mainstream media attention, I'd be willing to bet Symantec and Network Solutions are hiring. Does anyone have statistics on the relationship between the size of the virus outbreak, and the revenue that these companies take in?

Virus Notifications

[Micor]

I turned off Sender Notifications for virus stripping ages ago because these things spoof that reply-to. Now I am starting to block domains whose notification messages are clobbering my server. These notification messages are coming in by the thousands and only further confuse the issue. They also annoy my users who aren't at fault in the first place.

This is the E-mail I got from my school:

[ewithrow]

To: All Georgia Tech Students

The Office of Information Technology (OIT) has detected the following worms and viruses proliferating on the Georgia Tech campus network:
-MS Blaster worm
-DCOM (Nachi) worm
-W32/Sobig-F virus

Successful worm and virus outbreaks impair networks by blocking access or increasing the time it takes to transfer data across a network connection. It is imperative that everyone on campus take appropriate actions to secure their systems from current and future outbreaks.

Overall Risk to Georgia Tech
Infected systems must be cleaned to contain the worm or virus and prevent further proliferation. The time it takes to clean infected systems causes lost productivity throughout the campus community. If an outbreak is not contained, some network services will become unavailable due to "denial of service" events.

Any desktop and server computers with Windows (2000, NT 4.0, XP, and Server 2003) that connect to the Georgia Tech campus network and have not been patched are vulnerable to the MS Blaster and DCOM/Nachi worms. The Sobig-F virus can infect any Windows system (95, 98, NT 4.0, Me, 2000, and XP) via email attachment or Windows file sharing. These worms and the virus do not infect Macintosh computers.

Actions Taken by OIT
OIT has taken these steps to contain the current outbreaks:
-Blocked the ports vulnerable to these worms at the campus network border.
-Notified the technical support community on what to do regarding these worms.
-Temporarily blocked the ports vulnerable to these worms at the ResNet and EastNet routers to prevent un-patched systems of arriving students from damaging the rest of the campus. The effect of this will be that certain services such as file sharing will not be possible from within Resnet/EastNet to the rest of campus. These changes will not prevent access to mail, internet or other campus services.

We are currently working very closely with the ResNet manager to repair ResNet's infected student machines. You can help us by following these actions immediately:

Actions for Students to Take

If your system is currently infected, you must make sure it gets disinfected.

Get assistance from one of the technical support staff members, obtain the fix CD from your RTA, or download the appropriate software tools from the web.

To remove the Blaster worm, obtain the Stinger tool:
http://vil.nai.com/vil/averttools.asp#sting er

Immediately update your computer's security software.

All computers that use the Georgia Tech network should have up-to-date anti-virus and personal firewall software installed. To protect your system from future worms and viruses:
-Download and configure anti-virus (VirusScan) and personal firewall (ZoneAlarm) software from the OIT software distribution web page (http://www.oit.gatech.edu/software/ ).
-Do not open any email attachments from senders you do not recognize.
-Since some viruses and worms send infected messages that appear to come from email addresses that may be known to you, care should be taken before opening attachments that you are not expecting. More information and guidelines can be found at http://www.security.gatech.edu/ .

If you are running Windows and have not installed the current patches, please go to the Microsoft website and download the Blaster worm security patch.

WinXP:
http://www.microsoft.com/downloads/detai ls.aspx?Fa milyID=2354406c-c5b6-44ac-9532-3de40f69c074&displa ylang=en

Win2000:
http://www.microsoft.com/downloads/det ails.aspx?Fa milyID=c8b8a846-f541-4c15-8c9f-220354449117&displa ylang=en

Win2003:
http://www.microsoft.com/downloads/det ails.aspx?Fa milyID=f8e0ff3a-9f4c-4061-9009-3a212458e92e&displa ylang=en

If you need assistance from the ResNet technical staff:
ResNet site (http://www.res

Re:school's in!

[Skweetis]

Sorry to reply to my own post. The quarantine partition (I save out dropped messages for a while, just in case of a false positive or something) on the mailserver just hit 90%, and it's 100GB. It was somewhere around 5-10% this morning. Not a good day.

PIF

[kenp2002]

Honestly why would a user run a PIF attachment anyways? Would you use unknown medication? Why would you run unknown attachments? Simple solution: Server.CreateFilter(attachments, PIF)

Re:SoNice.ToSee.YouBack

[Exitthree]

Just look at how well Symantec [bloomberg.com] is doing! Up almost three dollars today.

Re:Cost Benefit Analysis

[Electrum]

With eight IT dudes running around fixing all of the Wintel systems

No "IT dudes" worth anything will be "running around fixing" things. If they had done their job properly in the first place, they wouldn't have to fix anything at all.

Re:Skeptical

[NexusTw1n]

It depends on how clueless your email admins are.

Rather than blocking .scr/Pif/.exe and deleting any email with such an attachment, they are letting the group virus scanner on our exchange servers deal with the entire load.

So the virus scanner is scanning and moving to the infected folder literally thousands of these an hour. After it moves the infected message, it generates a nice email letting you know an email that was sent to you is currently in quarantine. Therefore this is generating even more work for the mail servers. Turning off this feature for a couple of days is apparently too much trouble.

The servers exchange is running on are therefore hanging every few minutes with all the disk and processor activity. Everyone gets a message every few minutes about "please wait, connecting to server" until you get fed up and close outlook down for the day.

This is the first virus I've ever seen to disrupt my work like this. But this is 100% the fault of our email admins who can't be bothered to write a couple of simple mail rules.

At the basic internet security zone Outlook can't even open .scr and .exe attachments, so why they don't delete this crap before it hits the servers I don't know.

Panic, everyone!

[BRSloth]

The thing I like the most in those "worm reports" it's they say everytime that the worm spread throught mail, but never cite that there is only one email client that allow that kind of stuff and that there are alternatives.

Why can't someone come with something inteligent and say "the worm uses Microsoft's Outlook to spread itself"?

671 out of 693 from one IP...

[rthille]

I've got 693 SoBig spams to my obfuscated address: 'web-slashdot@NOSPAM.rangat.org' (I've since updated my DNS to serve an MX for nospam.rangat.org to 127.0.0.1, but it hasn't propagated yet. ) Almost all were from one IP: "Received: from cs24174102-171.houston.rr.com (HELO MARK-TRQBH52QXQ) (24.174.102.171) by bluesky.thille.org with SMTP; 21 Aug 2003 19:59:41 -0000"
Not sure if he's a spammer that got infected, but the 'from' addresses are coming from a huge number of unique and seemingly 'real' addresses.
I finally just setup my mail server to drop connections from that IP.

Some companies deserve it

[EZmagz]

My company being one of them. The place I currently work (fuck it, I hate working there anyway...it's 3M, the Scotch Tape(tm) people) is a disaster zone right now. The entire IT staff is contract-only. There is no centralized IT plan for keeping systems up-to-date, beyond updating the software when the PCs come in for repair or an upgrade. That gives some users a 5 year timespan when no service packs are installed.

This week alone our entire department has been thrown around, manually patching EVERY box on the network. That's around 50,000 computers. Today alone I ran across probably 10 Windows NT boxes that were still running THE FIRST SERVICE PACK!

My point is, I do NOT feel sorry in the least when companies like 3M lose millions of dollars because they don't hire a competent IT department. Hell, out of the 20 guys I work with, only myself and two others graduated from a 4 year college. Whatever. For the last four days when full-timers have been bitching at me while I upgrade their PC because their order-tracking software won't work, I just smile and tell them "you get what you pay for. Tell your bosses to hire a competent IT department and you'll never have this problem again." Then I walk away and sigh because I know it'll never happen. Guess paying a contracting firm $40/hr so they can turn around and pay me $13/hr while they get to save themselves from paying benefits is worth the millions of dollars in downtime.

Conspicuous absence

[__aajqwr7439]

Hmm... Nowhere does the article say the only Windows machines are infeccted by and propagate the worm.

The SoBig worm is the latest in an outbreak that began 10 days ago with the so-called "Blaster" or "LovSan" worm which, by some estimates, infected more than 500,000 computers running the latest version of Microsoft Windows, the world's dominant operating system.

That's the only place Windows is mentioned, with regards only to Blaster.

xox,
Dead Nancy

Re:PIF

[Aidtopia]

In an effort to be "friendly," newer versions of MS Windows default to hiding those oh-so-confusing file extensions from helpless uses, so they'll typically see "foo" rather than "foo.pif". Even nastier are those infection files named things like "photo.jpg.pif". Windows dutifully hides the .pif extension, and the user sees "photo.jpg". Doesn't look so dangerous that way.

Proactive true "antivirus" servers

[quibbit]

I guess just an idea (that seems useful and maybe I'll think about more later) is why not actively hunt virii. There was this big collective effort with SETI a few years back, why couldn't there be some big servers hunting for the cracks on the backbone. Maybe just a group of people, or a coalition to produce a virus in the wild that goes after viruses. Maybe try to infect servers clandestinely with patches if it becomes known that a user is spouting out bad email. Why niot actively hunt spammers too? It seem like that was sort of the code of the hackers.. Or at least the myth back in the old days (94-96) when I was keeping track of things more (or at least listening to people rant on usenet about such things as kookery). What are the big time hackers (or is it crckes or some other new term nowadays) doing? Are they being anonymous, or testing the waters before something "big" is put out. Maybe I'm just blowing steam, but considering the power a virus can harness to replicate itself and search for new ports to infect.. It seems that the government/military or rogue hackers/(paramilitary) could make more of presence on the scene than seems viewable from the public eye. Are virii the only big claim to fame to people who know how to mess with big systems? Couldn't we have avanging angels against spam/virii instead? Well just my 4 cents.

Re:Brain-dead auto-responders...

[ewen]

You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that

viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.

Someone on LiveJournal speculated that these messages were actually advertising, for the anti-virus product, and should be treated as spam/unsolicited bulk email.

I certainly agree that where the virus is known to spoof email addresses, it only makes the problem much much worse for everyone if you send a message saying (in effect) "the message you didn't send had a virus, there's nothing you can do about it, but please share the pain". And the anti-virus writers should be... persuaded... not to send out these virus reports to forged email addresses.

The 1000+ copies per day of the virus are easy enough to filter. The gazillons of different formats of useless "virus notifications" are not.

Ewen

college computers booted from network for worm

[mrgreenfur]

i'm a current student at Carnegie Mellon Univ. and about a week before everyone's slated to return, computing services sent out a letter saying that they were scanning the network for this worm and if found were removing machines from the network. If your machine has been removed, you gotta patch it and request it be re-allowed.

it seems like a pretty good way to go about preventing it from spreading, and even non-techies at my school will jump on the patch once they read the part about getting kicked off the net (read: AIM/Kazaa/email)

Re:Some companies deserve it

[isoga]

1. Put together a professional business case for a dedicated IT team.

Show some rough calculations for costs of dedicated staff, hardware, software(systems management, etc). Balance that against the savings from reduced downtime, increased productivity, better reputation from business partners and other goodwill. You will find that the numbers for having systems down and people unable to work become big very quickly.

3.Show how long it takes to see a positive return on investment, and how much they'll be ahead in 2 and 5 years. Offer to set this up and run it.

4.Enjoy your position as CIO of a fortune 500

5.Profit!!!!

Re:Sobig not really M$'s fault

[ratfynk]

Why the hell would I use wine to open e-mail under linux? Linux is not spreading this shit the MS UI is. Get your facts strait. The fault is entirely MS they are counting on this kaos so that they can step forward with the ultra secure win 2003 server and then the Longhorny security solutions. Your are spreading fluff and fud! Yes everyone is going to rush and secure their computers with Longhorny. But as Ben Franklin said "Those who sacrifice freedom for security will gain neither."

Re:Sobig not really M$'s fault

[Anonymous Coward]

"The key problem is that people are opening these attachments. That's just foolish."

True. But think on this - SoBig is a *benign* virus. It does no real appreciable damage. (Don't give me cleanup cost speak, if you hired competent people, you wouldn't *need* to clean the corporate networks.)

What will happen when a *real* virus is finally written for Windows? Back in the day (As in, decade+ ago), I remember what virii were like. Destroy the boot sector, frag the hard disk, randomly rearrange critical OS files..

Under Linux, unless you've some dolt running as root, this isn't a threat. Joe User can only befuk the files in his home directory, and nothing else.

Under Windows? Joe User just caused the whole box to shit itself.

Microsoft would do well to remedy this problem before someone decides to write a 'real' virus.

Re:Cost Benefit Analysis

[linzeal]

We had a guy in marketing spamming child porn to the company's customers and some people in the company. When he logged in at 6:00 am my time on the road one day when I was working graveyard shift. Needless to say he did not ever leave Illinois as far as I know.

Re:huh

[named]

Hmm, here's my numbers... this on a site that pushes about 9,000,000 messages/month. Oh, these numbers are since the 18th, and only include the ones for which any significant numbers have been recieved.

91673 | W32/Sobig-F
1460 | Bad File Pattern
1062 | Very Bad Header Pattern
1039 | W32/Sircam-A
960 | W32/Yaha-P
365 | W32/Bugbear-B
280 | W32/Klez-H
240 | W32/Mimail-A
223 | W32/Yaha-K
124 | W32/Bugbear-Dam
122 | W32/Dumaru-A
14 | W32/Magistr-B
9 | W32/Yaha-A

Email notification: A cure worse than the disease

[greywalker]

"Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems."
My experience with this virus may be abnormal, but I have to completely disagree with that statement. As a dispatch tech for a large state university, I've been up to my eyes in emails related to the virus, but have only found However, the amount of email traffic on campus has been mind-boggling -- it even took down our mail servers a few times. And less than 10% of the emails were from the virus. Most of them were f*cking auto-notification emails from other servers that someone had sent the damn virus, which thanks to the spoofing feature, was almost never true. Why don't server admins turn off such notifications when dealing with a mass-mailer/spoofer virus? All these assorted servers managed to do was clog up our mail server with these meaningless "you have sent us a virus" emails that do nothing but contribute to any damage the does!!
IMHO, the REAL cost of dealing with this virus was bearing the burden of 100,000 stupid auto-generated emails that other servers were sending us, in response to emails that didn't even come from us.

Re:Brain-dead auto-responders...

[billstewart]

This has been discussed a bit on the NANOG list. The ideal place to do the virus scanning would be during the SMTP transmission phase, rather than after the fact, so you could fail the transmission with a "553 go away you virus!" (and maybe a teergrube) instead of accepting the message and sending it to the forged From: line. (It looks like Sendmail milters give you hooks that could be used for this.) That way, if the virus runs its own SMTP, it gets messages that it ignores, and if the virus abuses it's victims' email programs, then they'll get the warning, but the From: won't.

Alternatively, if you're going to do the virus check after the mail's been accepted, it sure would be nice if the virus-checker programs kept track of which viruses usually forge the sender and which don't, so it can skip the bouncegrams on the forged ones.

Dave Farber's been mentioned in the press - his mailing list is very large and gets quoted a lot, so his address is in lots of people's mailboxes and gets forged a lot.

Re:no

[SYFer]

Well, as long as you're going to go the BSD route, you may as well just spring for a shiny new Mac with OS X and be done with it. Although we Mac owners are certainly not immune to virii and their broader effects, we are certainly less frequently directly infected. This is one instance where small market share proves beneficial.

Incidentally, the first infection I ever had on a Mac was the old Macro Virus which appeared shortly after I first welcomed Microsoft (via Office) onto my machine. Ah Microsoft!

Re:Cost Benefit Analysis

[Anonymous Coward]

Show him/her the hard numbers and if they are still too stupid to listen, take it to the next level. If the company has any business smarts, someone will listen to your well reasoned arguements. If not, you may want to start looking for a new job, that company probably won't be in business for long.

Well, I "took it to the next level" and suddenly I lost my $85k/year (yeah, that's US Dollars) job because I had improperly stored my bicycle in my office. No other reason mentioned, no bad reviews, no warnings, nothing. And it was perfectly legal because I (as all my former colleagues in this 30bn/year company) was an "at-will" employee.

And I don't think they're going out of business soon.