Sober Overtakes Zafi as Viral King

Antivirus experts report the new Sober-N worm is the most widespread virus in the wild. Sophos detected the Sober-N worm, which poses as tickets for the 2006 World Cup in Germany, in May.

SophosLabs’ May 2005 report indicates that the bilingual Sober-N worm has rapidly spread across 40 countries — accounting for 4.5 percent of all e-mail. That puts it ahead of the infamous Zafi-D, which had dominated the top of the virus chart for the past five months.

“In May, we saw a lot of activity surrounding Sober-N as it cunningly climbed the chart by using social engineering tricks, such as offering free World Cup tickets, to lure recipients into opening the infected attachment,” said Gregg Mastoras, senior security analyst at Sophos.

Bringing Balance to the Numbers

While he doesn’t doubt Sober is gaining ground, Ken Dunham, the director of malicious code research at iDefense, a Reston, Va.-based threat intelligence firm, told TechNewsWorld that rankings are difficult to read in times of lull.

“Every firm has its own set of metrics, customers and missions. Rankings like these just give us just the tip the iceburg of what’s going on out there in terms of prevalence,” Dunham said. “Sober may be more prevalent for companies with more clients in Europe than those in other parts of the world.”

Dunham is certain, however, that Sober ranks in the top five, and noted that the top three to five codes worldwide represent 90 percent or more of all malicious code that’s spread in the wild. The difference is that worms like Sober don’t blow up in your face like MyDoom, he said.

Making Computer Zombies

What worms like Sober do, instead, is make computer zombies. Mastoras said the Sober-Q Trojan searched for computers infected with the Sober-N worm and attempted to secretly turn them into spamming machines, better known as zombies. A new entry, Mytob-AZ, is also gaining momentum, according to the Sophos report.

“Mytob-AZ was another mass-mailing worm, which was accompanied by a backdoor Trojan that allowed others to access the infected user’s computer,” Mastoras said. “Although it accounted for only 1.6 percent of viruses in May, it could potentially cause severe damage to businesses that were not appropriately protected.”

Beware A More Sophisticated Sober

Mytob-AZ may be making headlines, but Sober is still the one to watch, according to analysts, because it is getting more sophisticated in its attacks.

“The authors are playing cat and mouse games technically to make it more difficult to remove the worm and to control computers that are infected with Sober,” Dunham said. “The most recent Sober worm spread and then went into a sleep period for several days. When it woke up it downloaded the code from a remote web site that initiated the spamming. Sober is increasingly successful.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

Which most influences your decision to accept a LinkedIn invite from a stranger?
Loading ... Loading ...

LinuxInsider Channels