[ISN] German hate-spam spread by Sober virus

InfoSec News isn at c4i.org
Mon May 16 04:14:25 EDT 2005


[We (C4I.org) got slammed pretty hard by Sober.Q by a Cogeco IP, and
since it was a weekend, no one in Cogeco security was working, or
oddly enough carries a duty pager alerting them to major virus &
security issues. This information gleened from someone in tech support
that works with the security department, in Cogeco's defense, they say
they give users a $100 F-Secure firewall, but if there is no financial
benefit (say in the form of reduced internet service) for users to run
the firewall software, its never going to be installed & used.   - WK]

By Munir Kotadia
ZDNet Australia 
16 May 2005 

Another variant of the Sober virus, which spreads right-wing messages
in German and English, appeared over the weekend. Security firms are
warning that they have received hundreds of thousands of e-mails
generated by Sober.Q in its first 24 hours.

Sober is usually a mass-mailing worm that sends a copy of itself to
e-mail addresses stored on an infected computer's hard drive. However,
in the same week that Germany and Europe celebrate the 60th
anniversary of the end of World War II in Europe, the latest variant's
sole purpose seems to be to distribute hate mail.

Scott Chasin, chief technology officer at e-mail security specialists
MX Logic, said the latest variant of Sober was being uploaded to
computers infected by previous variants of Sober, which meant the
virus authors may have remote control over thousands of PCss.

"Sober.Q appears to be downloaded by machines infected by Sober.P - If
this is the case, the Sober.P author or authors could have remote
command-and-control capabilities over a large network of infected
machines. This network would provide not only a megaphone to
distribute messages of hate, but a platform for future spam, worm and
denial of service attacks, said Chasin.

Although spam usually tries to advertise products, Chasin said it is
now also being used for spreading propaganda.

"Spam has been traditionally regarded as annoying messages that
promote Viagra, porn and low cost mortgages... But for the past year
we have seen a trend in which worm authors are using spam not to hawk
goods, but as a tool for political propaganda," said Chasin.

Last week, antivirus firms warned that the previous Sober variant,
which was disguised as winning tickets to the Soccer World Cup in
2006, had suddenly modified its behaviour and stopped propagating. The
temporary lull in activity seemed to have been planned by the virus
writers in preparation for this latest attack.

MX Logic's Threat Centre has reported seeing more than 125,000
instances of the Sober.Q worm and categorised it as a high severity
threat. Internet security firm SurfControl reported seeing 1,000 spam
e-mails within hours of the initial outbreak, which the company said
is around 40 times the usual number.

More information about the ISN mailing list