3 min read

Much-Feared Internet Onslaught Fizzles

The attack was averted after ISPs took the computers that were to launch assault offline.
A potentially massive Internet attack generated by the Sobig virus was averted Friday after Internet service providers took offline the computers set to launch the assault.

Virus experts had identified within Sobig's code the Internet protocol addresses of 20 Windows PCs that were scheduled to send an invasive program to computers infected with what has been described as one of the most virulent E-mail viruses ever. Experts were unable to determine the purpose of the program.

However, ISPs took the IP addresses offline, averting the attack, scheduled to start at 3 p.m. EDT Friday, said Chris Belthoff, senior security analyst at Sophos Inc. Among the ISPs involved were Road Runner, owned by Time Warner Cable; EarthLink; AT&T Worldnet; and Sprint.

"The download process has been stopped," Belthoff said.

Anti-virus companies Network Associates and Central Command also reported that the assault had been averted.

Windows PCs infected with the virus were to contact the 20 computers, which would redirect them to Web sites where they could download the program, called a "Trojan horse." Experts said the malevolent code could have deleted files, stolen passwords for online accounts, or turned the infected PCs into E-mail servers for relaying junk E-mail. The computers were located in the United States, Canada, and South Korea.

Because the IP addresses were taken down, the virus, dubbed Sobig.F, could no longer launch an attack. The threat of an attack "is very minimal," Belthoff said. "It's essentially non-existent."

E-mails carrying the virus, however, are still circulating the Internet, which meant Sobig is capable of spreading itself further. But the number of E-mails has dwindled since the virus began appearing Tuesday, reaching its peak the next day.

Sobig.F, the fifth variant of the original virus sent in January, was exceptional in that it spread at a record rate, infecting hundreds of thousands or possibly more than a million machines globally. Anti-virus company F-Secure estimates the virus has sent more than 100 million E-mails across the Internet since its discovery on Monday.

Security company Symantec Corp. on Friday upgraded Sobig.F to a Level 4 threat, one notch below the company's highest rating. The upgrade followed the discovery of the Trojan. Symantec was receiving 1,800, Sobig.F-infected E-mails a day from customers.

Sobig.F has clogged home E-mail boxes and slowed company networks with millions of messages carrying the malevolent payload, which arrives under such headings as "Thank You," "Re: Details," and "Re: That Movie." MessageLabs Inc., which filters corporate E-mails, had intercepted more than 3 million messages carrying the virus as of Thursday.

The virus struck a week after a separate virus, dubbed Blaster, wreaked havoc among computer users globally.

When an unsuspecting computer user executes the Sobig E-mail attachment, the virus opens a "back door" on a Windows PC, allowing a hacker to take control of the machine or have the virus steal passwords and send them to the virus writer. Such viruses are called worms.

Experts have speculated that Sobig.F, which affects only machines running Microsoft Windows, is setting up computers to become spam generators. Spammers often use the machines of others to relay spam throughout the Internet. Such activity can occur undetected by the computer's owner.

Previous variants of Sobig have directed computers to install "Wingate" proxies capable of forwarding junk E-mail at the direction of the spammer. Computer owners are unaware their machine has become a spam generator, because the proxies often remain intact even after anti-virus software removes the original virus.