Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Sobig.G is coming after your money!

  • 12 September, 2003 14:03

<p>Clearswift warns of new threat in Sobig worm project</p>
<p>Sydney, 12 September 2003: Sobig G is about to hit PCs around the world, but it can be stopped, according to Clearswift, the leading provider of software for managing and securing electronic communications.</p>
<p>According to Chy Chuawiwat, managing director of Clearswift Asia Pacific, the authors of Sobig are capturing banking and credit card information by using stealth and human engineering.</p>
<p>“Through a series of controlled experiments from Sobig .A to Sobig.F, the authors are learning how to improve their programming and the appeal of their emails. If they follow their typical mode of operation, Sobig.G can be expected in a week or so. But they can be stopped,” said Chuawiwat.</p>
<p>Before Sobig.A in January 2003, virus writers could be categorised into two simple camps: those seeking infamy by spreading their work as far as possible, and those motivated by the intellectual challenge, who would make a copy available to anti virus companies to prove their technical prowess.</p>
<p>The series of Sobig worms fall into neither of these categories. It represents a controlled project, motivated by a new set of objectives.</p>
<p>“We are seeing a new evolutionary stage with the coming together of the skills of the virus writer, the hacker, the spammer and the fraudster. The financial stakes are potentially huge,” said Chuawiwat.</p>
<p>With the exception of the first version, all Sobig worms have operated in a very similar fashion, revealing a cunning plan. Each version had a pre-programmed lifetime varying between eight and 22 days and after the self-termination date it would no longer replicate. Typically, the new version would follow days after expiry of the previous version, but the interval could extend to over a month and in one instance (the E variant) predated the self-termination date by a week.</p>
<p>Three Stage Infiltration
Spreading of each Sobig worm represents the first part of a three-stage exercise. When a user clicks on the email attachment, Sobig infects a PC and then waits for instructions to become available on one or more remote sites. This stage evaded detection by most of the antivirus community until deciphering of the workings of the F version.</p>
<p>When instructions become available, Sobig downloads a backdoor trojan program called Lala from yet another web site. Lala deletes the Sobig worm to cover its tracks and monitors the PC for signs of on-line financial transactions such as banking, credit card details, eBay and PayPal sessions. Lala captures user details and passwords and transmits them in encrypted form to the virus authors.</p>
<p>The Lala backdoor then takes infiltration to a third and final stage. It downloads and installs, from another web site, a copy of a program called Wingate, a proxy server. Proxy servers allow access to Internet services such as the web and email virtually anonymously.</p>
<p>Massive amounts of spam have originated from PCs infiltrated with Lala and then Wingate, following Sobig infection and successive versions of the Sobig worm have been spread by spamming from previously infected PCs.</p>
<p>Chuawiwat believes Sobig.G will probably be more effective than any previous variant, as the author continues to learn from previous efforts.</p>
<p>“However, the widespread publicity attracted by the F variant should make people more careful about opening attachments, as this worm cannot spread without the interaction of end users.</p>
<p>“Forewarning and awareness of the risks may help users think twice before clicking on Sobig.G, which we can expect some time soon after termination of F, on the 10th Sept 2003,’ he said.</p>
<p>What to do
Update anti virus signatures, don’t open emails from unknown people. Don’t click on attachments. The most common subject lines and attachments for Sobig email are Movie, Application, Approved and Screensaver.</p>
<p>For up-to-date analysis of Sobig visit Clearswift’s ThreatLab:</p>
<p>For explanation of the motives and modus operandi of the Sobig Project see:
The Sobig Project</p>
<p>- ends -
About Clearswift:
Clearswift is the world's leading provider of software for managing and securing electronic communications. Clearswift delivers the capabilities for organisations to protect themselves against email and web-based threats, meet legal and regulatory requirements, implement productivity-saving policies and manage intellectual property passing through their network.</p>
<p>The company's expertise lies in establishing and enforcing e-policies. Content security threats include the circulation of inappropriate images and text, Spam and oversize files, loss and corruption of data, breaches of confidentiality, as well as viruses and malicious code. More information about Clearswift, its products and services is available at</p>
<p>For further information, please contact:</p>
<p>Monica Vardabasso Chy Chuawiwat
Primary Communication Clearswift Asia Pacific
Tel: 61 2 9212 3888, 0414 472 012 Tel 61 2 9424 1220, 0405 181 600

Most Popular