Sober Worm's Still With Us

The greatest I.T. security threats to businesses may be targeted attacks aimed at a single company. But old-fashioned worms can still have their day, as last week shows.

A new variation of the long-running Sober worm last week was using extremely effective scare tactics to trick users into infecting their PCs, including posing as messages from the FBI and the CIA.

Sober.w--called Sober.x by Symantec and Sober.z by Sophos and F-Secure--spread rapidly. Symantec raised its warning to a "3" on its 5-point scale, the first time since the Zotob outbreak in August that it put a worm at that level.

Sober.w is the most recent example of the 2-year-old Sober family, and it shares important characteristics with other variants: It's bilingual, since messages arrive in English or German. The worm also uses address hijacking and involves mass E-mailing.

The worm does have some technical tricks that help it spread, including running three simultaneous SMTP processes so it can "blitz out" more copies, says Sam Curry, VP of CA's eTrust security group. But Alfred Huger, senior director of engineering for Symantec's security response team, credits effective social engineering, posing as a message from the CIA or FBI or Germany's equivalent national police force, the Bundeskriminalamt. It accuses recipients of visiting illegal Web sites and tells them to open a zip file to answer questions. The FBI even took the unusual step of issuing a statement saying the E-mails were bogus.