- The Washington Times - Friday, August 22, 2003

From combined dispatches

The FBI yesterday subpoenaed an Arizona Internet service provider to trace the culprit behind a fast-spreading e-mail virus.

Meanwhile, a feared Internet attack resulting from the virus fizzled yesterday, as security experts said they contained it by identifying and blocking computers key to coordinating it.

Instructions written into the latest version of the Sobig.F virus, which has caused enormous headaches since it began appearing Monday, called for infected Windows machines to try to download a program that, until the attack began at 3 p.m yesterday, had an unknown function.

Security experts feared the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk e-mail.

But when the appointed time came, all the virus did was visit a pornography site, said Vincent Weafer, security director with Symantec Security Response.

“There is nothing malicious, just a standard sex site,” he said.

Internet service provider Easynews.com of Phoenix said it had been contacted by investigators by telephone Thursday, and the company was issued a subpoena yesterday.

“It looks like the original variant was posted through us to Usenet on the 18th [of August],” said Michael Minor, the Internet service provider’s chief technology officer.

An FBI spokesman said the organization was working with the Department of Homeland Security to investigate who was responsible for the e-mail attacks. He declined to comment further.

One expert said the Sobig.F e-mail virus was disguised so that anyone who clicked on a link purporting to show a sexually graphic picture became infected with the self-replicating worm, which then spread itself to other e-mail addresses.

“Sobig.F was first posted to a porn Usenet group,” said Jimmy Kuo, research fellow at anti-virus software maker Network Associates Inc. Usenet is a popular forum on the Internet where computer users with similar interests post and read messages.

As many as 100,000 computers have been infected with Sobig.F, which in turn has spewed “millions upon millions of infected e-mails” to other Internet users, Mr. Kuo said.

“We’ve seen multistage attacks before, but this is probably the most effective example of that,” said Bruce Schneier, chief technology officer of Counterpane Internet Security. “What can a million computers do if they’re told to? Anything.”

Sobig.F spreads when unsuspecting computer users open file attachments in e-mail that contains such familiar headings as “Thank You,” “Re: Details” or “Re: That Movie.”

Once the file is opened, Sobig.F resends itself to e-mail addresses from the infected computer and signs the e-mail using a random name and address from the computer’s address book.

Since Monday, computer users from South Korea to Norway have struggled to fend off a variety of attacks that have crippled corporate e-mail networks and have filled home users’ inboxes with a glut of messages, before fanning out to find more victims.

Consulting firm Booz Allen Hamilton, Air Canada, transport company CSX Corp. and the New York Times are among hundreds of companies that have endured network attacks from recent viruses.

Employees at the Times headquarters in midtown Manhattan were asked to shut down their computers yesterday, but a spokesman declined to comment on the cause of the shutdown.

“We will not speculate on the cause, effect or scope of the problem. … We plan to get the paper out tomorrow.”

Sobig.F was written to expire Sept. 10, but security experts said they expect another version to follow. This is the sixth version of the virus since it appeared in January.

The worm has been clogging e-mail inboxes with a hidden command directing infected PCs to make contact with one of 20 vulnerable computers at 3 p.m. every Friday and Sunday until it expires, said Steve Trilling, chief researcher at anti-virus vendor Symantec Corp.

Government and industry security experts raced against the clock yesterday and were able to take offline 19 of the 20 home computers before the deadline, said Mikko Hypponen, anti-virus research manager at F-Secure of Finland.

The 19 computers were in the United States, Canada and South Korea, he said.

The remaining master computer, which was located in the United States, was taken down shortly after the deadline, experts said.

Experts had worried that the timed attack would slow down Internet traffic and possibly set in motion a new set of commands that would allow Sobig.F to update itself and start new attacks. However, they cautioned that it was too early to tell whether the threat of Sobig.F had ended and cautioned that the next attack on deadline could unleash new problems.

Experts have speculated that Sobig.F was designed to turn computers into spam-relay machines, as previous versions did.



Click to Read More

Click to Hide