- The Washington Times - Wednesday, August 20, 2003

Computer security companies are investigating the possibility that spammers created the SoBig.F virus to open holes in e-mail systems and let them send unwanted e-mail anonymously.

The virus, considered the most widespread of its kind, continued to clog e-mail inboxes worldwide yesterday, causing some organizations to shut down their e-mail systems and others to report millions of dollars in lost productivity.

It accounted for about 70 percent of all e-mail sent yesterday.

Several computer security firms, conducting separate investigations, said yesterday they believe that a spammer either wrote the virus or hired someone to write it.

The virus, in addition to mass-mailing itself to people listed in e-mail address books, creates system vulnerabilities that allow anyone to send e-mail without being traced. At least half of all spammers use these vulnerabilities, known as “open proxies” or “open relays.”

“We do believe the person doing this is doing it for profit,” said Jimmy Kuo, a research fellow with Network Associates, a Santa Clara, Calif., computer security firm. “That is the number-one belief, that this guy is being paid to do this or is [a spammer].”

Spam refers to unsolicited e-mail, often in the form of advertisements for pornography, Viagra or get-rich-quick schemes. It has been known to flood inboxes, costing U.S. businesses about $10 billion a year in lost productivity and services, according to Ferris Research.

Spammers rely on open proxies to send millions of e-mail messages anonymously. As recently as two years ago, spammers exploited open proxies on poorly designed e-mail networks. Lately, network managers have made their systems more secure, and spammers have started creating open proxies on their own.

“This is possibly a response to the technology industry’s awareness of the problem,” said Chris Beltoff, a senior security analyst with Sophos, a London-based computer security company.

Computer security analysts have been worried about any connection between spammers and virus writers for months. MessageLabs, a British computer-security firm, said that “spam-friendly” viruses, including earlier versions of SoBig and another called BugBear, were becoming more prevalent.

“The worrying trend … is that it would certainly seem that spammers are now determined to create their own armies of open proxies, so that they can remotely command them at a safe distance, without drawing any suspicions upon themselves,” MessageLabs said in a report to its customers.

Analysts said the connection between spammers and virus writers is just a theory, based on observation of the way both viruses and spam have operated.

FBI spokesman Bill Murray said yesterday the bureau is not investigating the SoBig.F virus, but did not discount the possibility of starting an inquiry.

Mr. Murray said the FBI was not prepared to say that spammers and virus writers are working together. And not everyone who has analyzed the SoBig viruses has bought into the theory.

Marty Lindner, a team leader with CERT Coordination Center, a nonprofit center for Internet security at Carnegie Mellon University, said he has not seen evidence that SoBig creates open relays, or that spammers are using the virus to create vulnerabilities.

“From a technical point of view, all this virus does is forge e-mail,” Mr. Lindner said. “A lot of that hype is based on information I don’t believe.”

Nevertheless, CERT did issue a warning Monday that said the virus could “set up and run other services, such as open mail relays.”

Many analysts believe virus writers would be willing to create open relays for spammers as a way to further spread their virus.

“It’s an ‘I’ll scratch your back, you scratch my back’ type of thing,” said Steven Sundermeier, vice president of products and services for Central Command, a Medina, Ohio, computer security company.

Soon after the SoBig.F virus appeared Tuesday, security analysts assumed the virus was sent by a spammer because it spread so quickly. But analysts yesterday said there was evidence the virus was embedded in several erotica-oriented news groups, before then spreading to the computers of the newsgroup members.

SoBig.F is the latest in a string of viruses that have spread over the last week, causing many computer security experts to refer to it as the worst virus week in history.

A virus called “Blaster” or “LoveSan” spread to more than 500,000 computers last week, causing computer failures at some organizations including the Maryland Motor Vehicle Administration. A similar virus called “Welchia” spread Tuesday, bogging down many computer systems, including that of Air Canada, which was forced to cancel some flights over problems with its communications network.



Click to Read More

Click to Hide