Security experts are warning of a possible attack or mass action by machines infected with the Sobig.F worm scheduled to begin at 7 p.m. GMT on Friday.
Code buried deep in the Sobig.F worm will cause afflicted Microsoft Corp. Windows machines worldwide to simultaneously connect to an as-yet unknown Web page and download a software program, according to security company F-Secure Corp. of Helsinki. The machines are using a number of atomic clocks worldwide to synchronize activities and coordinate the mass action, F-Secure said.
Researchers at F-Secure have analyzed the Sobig.F worm code and discovered the instructions, which are similar to those found in previous editions of the Sobig.F virus, said Mikko Hyppönen, head of antivirus research at F-Secure.
For Sobig.F, F-Secure researchers cracked an encrypted list of 20 IP (Internet Protocol) addresses that the infected machines will attempt to connect to, trying each in order until a successful connection is made.
Those IP addresses belong to Sobig-infected machines outfitted by the Sobig.F authors with instructions to receive requests from other Sobig.F machines and to respond with the location of a file that those machines should download and run, Hyppönen said.
“These are probably easy-to-crack machines from around the world — Windows boxes where the user has no idea that the machine is infected and is being used in the attack,” he said.
Currently, the 20 Sobig.F “server” machines contain instructions to download a nonexistent file on the www.sex.com domain, but the person or people behind Sobig.F will probably wait until the last second before uploading the real instructions to the 20 machines.
“Obviously the logic of the virus writers is to change the URL (pointing to the file) just before the attack starts. They’re thinking about how we work and trying to make it harder,” he said.
Without seeing the actual instructions that infected Sobig.F machines download by the thousands, it’s impossible to know what the Sobig.F machines will be directed to do, Hyppönen said.
For example, if the virus author sent instructions for the Sobig.F machines to download a file on Microsoft’s Web page or that of another high-profile target, it could create a massive denial of service (DOS) attack, he said.
Previous editions of Sobig.F downloaded software programs that turn infected machines into a so-called “open proxies,” Hyppönen said. Open proxies act as e-mail distribution hubs allowing anonymous sending of massive waves of spam. Sobig.F’s author may be planning to do the same, creating a large network of open proxies that can be used for future spam campaigns.
Security experts have long noted the connections between the Sobig.F worm and the work of spammers, who use open proxies to cover their tracks while barraging e-mail accounts with solicitations for pornography, “get rich quick” scams and cheap prescription drugs.
In an attempt to control the flood of spam e-mail, ISPs (Internet service providers) have been cracking down on loosely managed open proxies, prompting spammers to look for ways to create new proxies, Hyppönen said. Security companies have noted a correlation between the appearance of worms like Sobig.F and an increase in spam traffic from open proxies.
After deciphering the attack, F-Secure contacted both the European Computer Emergency Response Team (CERT) and the U.S. Federal Bureau of Investigation regarding the threat, which contacted the ISPs that the Sobig.F servers are using and asked them to suspend the machines’ Internet connections, Hyppönen said.
As of Friday morning, 12 of 20 Sobig.F servers had been taken offline and authorities were working to contact other affected ISPs.
The job of shutting down the servers has been complicated, in part because the Sobig.F authors took precautions when selecting the machines to use as servers, making sure that each was controlled by a different ISP worldwide.
The FBI has analyzed the Sobig.F code and is aware of the planned attack, said Bill Murray, a spokesman for the FBI’s cyber division. The agency is working with the Information Analysis and Infrastructure Protection Directorate of the Department of Homeland Security and other federal agencies to develop a strategy to help mitigate further spread of the Sobig.F code, he said.
The FBI also launched an investigation into Sobig.F and is trying to determine who released the code into the wild, Murray said. Individuals with information about the Sobig.F worm that might help investigators should contact their local FBI field office, he said.