This is one fast worm

SoBig's sprint across the Net is raising concerns

By Hiawatha Bray, Globe Staff, 8/22/2003

Why is SoBig lasting so long? The SoBig computer worm continued its rampage across the Internet yesterday sparking fears that the program is being used to set up a network of infected computers as a launch pad for further attacks.

Yet it's SoBig's rapid, and ongoing, replication that has stunned computer virus watchers. Computer users must deliberately activate a file attached to incoming e-mail to infect their machines. Some antivirus specialists assumed that most computer users would not open such attachments, thus limiting the spread of the worm. It didn't turn out that way.

Chris Belthoff, senior security analyst at antivirus company Sophos Inc. in Lynnfield, says that's partly because the creator of SoBig seems to have mass-mailed it to many thousands of Internet addresses on the day the worm first appeared. This made it spread much more rapidly than if it had been sent to just a few recipients and allowed to spread slowly across the network. "It wasn't a slow, steady increase of growth. It was immediate and it was widespread," said Belthoff.

In addition, SoBig uses "social engineering" -- a tactic that tricks people into lowering their defenses. Earlier versions of SoBig sent out copies of itself using a single e-mail address, such as bill@microsoft.com. The use of such an implausible address warned many recipients not to trust the message. But the latest variant, called SoBig.F, randomly chooses an e-mail address found on an already infected machine. The messages thus seem to come from a variety of plausible sources -- in some cases, from addresses known to the recipients. This deceived some people into activating the attachments and infecting their machines, said Ian Hameroff, security strategist for Computer Associates International Inc., in Islandia, N.Y. "People are still falling prey to social engineering," said Hameroff. "They're double-clicking on these attachments and allowing this to spread."

SoBig collects all the e-mail addresses it can find on an infected computer's hard drive. The worm contains its own mail server program that spews out copies of itself at high speed to all these addresses. The program is multithreaded, meaning that each copy of SoBig can send out several e-mail messages at once. And when it finishes e-mailing every address, it simply starts over. The process continues until the worm is removed or the computer is switched off -- or until Sept. 10, when the worm will automatically stop functioning.

In the meantime, SoBig produces a flood of e-mail that is slowing down computer networks and making life miserable even for those whose machines aren't infected. Verizon Communications said yesterday many of its DSL high-speed Internet customers were suffering from slow network performance, because of all the data traffic generated by SoBig, as well as another widespread computer worm called Welchia which attacks computers running several versions of Microsoft Corp.'s Windows operating system. Verizon said late yesterday the network was returning to normal as worm traffic had begun to ebb.

And beginning today, computers infected with SoBig will attempt to download additional "Trojan horse" software over the Internet. Earlier versions of SoBig have downloaded software which could be used to send out unwanted commercial e-mail, or "spam," from infected machines. But security specialists warned the worm could download a variety of harmful programs. "A potential risk is that the massive army created by (SoBig) Worm/Sobig.F could be used to launch an all-out attack on large Internet infrastructures," said Steven Sundermeier, a vice president at antivirus software maker Central Command Inc.

Nobody knows what programs SoBig will attempt to install on its victims' computers. But the owners of thousands of infected PCs may soon find out.

Hiawatha Bray can be reached at bray@globe.com.