New Sober Worm Spoofs FBI, CIA - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
11/22/2005
04:10 PM
50%
50%

New Sober Worm Spoofs FBI, CIA

A fast-spreading variation on the long-running Sober worm is using extremely effective tactics to trick users.

A new variation of the long-running Sober worm uses extremely effective tactics to trick users into infecting their PCs, security companies said Tuesday, including posing as messages from the FBI and CIA.

Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and F-Secure -- is spreading rapidly, said security experts, fast enough for vendors to have amplified their threat levels Tuesday. Symantec raised its warning to a "3" in its 1 through 5 scale, the first time since the Zotob outbreak in August that the Cupertino, Calif.-based anti-virus vendor has taken a worm to that threat level.

"The rate of its spread is quite high," said Sam Curry, vice president of Computer Associates’ eTrust security group, who also called the raw number of infections "still relatively low, but growing."

U.K.-based MessageLabs disagreed with the second half of Curry's estimate, however. "The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped nearly 3 million copies of the worm from reaching its customers' inboxes.

Sophos, another U.K.-based anti-virus vendor, said that its tallies showed this Sober now accounting for 61 percent of all malware.

Sober.w is the most recent example of the two-year-old Sober family, and shares important characteristics with other variants, including bilingualism (messages arrive in either English or German), address hijacking, and mass-mailing.

Computer Associates' Curry believes the fast spread is due to better-than-average technical skills. "It's using slightly more effective techniques," said Curry, "including running three separate [SMTP] processes. That's becoming somewhat common, because the more simultaneous processes a worm runs, the more copies it can blitz out."

Others, however, credit the enticing bait dangled by the worm for its success. "I just don't see any technical reason why this has popped," said Alfred Huger, senior director of engineering for Symantec's security response team. Instead, he points to the worm's social engineering tricks, which include posing as a message from the CIA or FBI (English), or the Bundeskriminalamt, the German national police agency most like the FBI (German).

These messages, with spoofed return addresses such as "[email protected]" and "[email protected]," claim that "We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer.

The FBI, in fact, took the unusual step Tuesday of issuing a statement saying that the messages were bogus. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."

"This variant of Sober may catch out the unwary as they open their e-mail inbox," said Graham Cluley, senior technology consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal websites and click on the unsolicited email attachment."

Sober's creator or creators are unknown, although suspicions have long placed them in Germany. Recently, the Bavarian state police (Bayerisches Landeskriminalamt) predicted the release of a minor Sober variant the next day, leading to conjecture by security analysts that the police may be on the trail of the hackers. No arrests have been made of anyone accused of writing a Sober worm. The FBI urged users who had received the Sober.w worm to report it to the Internet Crime Complaint Center.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll