boston.com Business your connection to The Boston Globe
News A&E Business Sports Travel Your Life Cars Jobs Personals Real estate  
Markets    Personal finance    Technology    Companies    Columnists    Business events    Latest news    
Home > Business > Technology

Computer worm proves to be not SoBig after all

By Hiawatha Bray, Globe Staff, 8/23/2003

SoBig wasn't so bad after all.

The computer worm was poised to unleash phase two of a global Internet attack yesterday afternoon, but security experts said they had taken steps to thwart the software.

"We expect that nothing really will happen," said Chris Belthoff, senior security analyst at Sophos Inc. in Lynnfield. His confidence was based on the virus hunters' success in figuring out SoBig's next move and taking steps to stop it.

The last work day of a week plagued with computer problems also saw The New York Times shut down and check every computer in its newsroom because of unexplained "system difficulties." Last night, Times officials would not say whether the shutdown was related to SoBig or two other computer worms, Blaster and Welchia.

The SoBig worm appeared early last week, even as computer users were grappling with outbreaks of Blaster and Welchia. Those worms infected thousands of computers over several days, but SoBig hit much harder, becoming one of the worst Internet infections ever recorded.

The worm scoured infected machines for stored e-mail addresses, then sent copies of itself to every address it found.SoBig was also designed to update itself. Infected machines were supposed to download new software between 3 and 6 p.m. yesterday, and again at the same time tomorrow. Security experts feared the downloads could cause infected computers to launch even more harmful attacks.

Researchers in the United States and Europe dissected the worm and discovered 20 Internet addresses SoBig was designed to contact. They quickly contacted the Internet providers that held the addresses, urging them to shut them down before 3 p.m. The tactic seems to have worked.

"All of them have been taken offline at this time," said Belthoff.

Chris Wysopal, researcher with Cambridge computer security firm At Stake, said the shutdown effort wasn't quite so successful. "All machines got shut down except for one, and that one got totally swamped," said Wysopal. He warned that a few SoBig infected machines would still get their updates.

But the Finnish antivirus firm F-Secure Inc. said its efforts to contact the one remaining live address were unsuccessful, suggesting that few infected machines would be able to get through.

Bloomberg News reported that the FBI in New Haven has been put in charge of investigating the outbreak. The agency has issued a subpoena to Easynews.com, an Internet provider in Phoenix, seeking information about a client who might be involved in the worm outbreak.

The FBI contacted Easynews on Thursday and told the company that a user had used its servers to upload the virus to the Usenet network, according to a news release posted on the Easynews.com website.

Usenet is a network of online bulletin boards. The worm was first posted to a Usenet board that publishes pornographic images, according to Reuters.

Even though the most recent SoBig threat has faded, Wysopal warned there are perils ahead. Last week's worm was actually called SoBig.F, because it's the sixth version released this year. Each version has been reworked to make it more dangerous and harder to defeat.

Hiawatha Bray can be reached at bray@globe.com.

© Copyright 2003 Globe Newspaper Company.
PRINTER FRIENDLY VERSION    E-MAIL TO A FRIEND
TOOLS
PRINTER FRIENDLY VERSION
E-MAIL TO A FRIEND
TOP E-MAILED ARTICLES
SEARCH GLOBE ARCHIVES
 
Globe Archives Today (free)
Yesterday (free)
Past 30 days
Last 12 months
 Advanced Search
Sponsored Links
feedback | help | site map | advertising | globe archives
© 2003 The New York Times Company