High profile worms push e-mail security to code red status
16 May 2005 | 0
Irish security consultant IE Internet, which manages e-mail for 10,000 business e-mail users, revealed that Mytob.Al had been detected in eight per cent of e-mail messages delivered. The Mytob worm is particularly dangerous because it makes infected computers part of a botnet, a network of compromised machines which send out spam and launch denial of service attacks.
IE Internet’s managing director, Phelim O’Connell, warned that “every week thousands of PCs are recruited into botnets without the owner’s knowledge. Mass-mailing worms are designed to allow criminals to take control of a computer and use it to send out vast quantities of Spam”.
A spokesperson for the company added that Mytob also showed that virus writers were collaborating with Spammers. ‘The majority of e-mail viruses and Spam emails originate from a botnet,’ she added.
Meanwhile, Sober N or P, the latest variant of a worm which has been in existence since 2003, appeared on May 2nd. According to UK anti-virus specialist Sophos, the W32/Sober-N worm had been reported attempting to break into computer systems in over 40 different countries by May 4th.
Three days after its release, Sober N accounted for 79.29 per cent of all viruses seen by Sophos monitoring stations around the world. Sophos experts calculated the worm was accounting for an ‘astonishing’ 4.5 per cent of all e-mail sent across the Internet. ‘1 in every 22 e-mails sent across the Internet is currently infected by the Sober-N worm – making this one of the biggest virus outbreaks of the year,’ said Graham Cluley, senior technology consultant for Sophos. ‘All Internet users must secure their systems with up-to-date anti-virus software and ensure they never open unsolicited e-mail attachments. No one should be fooled into thinking that e-mail viruses are a thing of the past.’ Russian anti-virus software developer Kaspersky Lab, which has labelled the worm as Sober.p, agreed it was causing ‘an epidemic in Western Europe’.
It described the worm as ‘the commonest malicious program found in mail traffic. Sober.p has broken records in terms of the number of infected messages sent out and speed of propagation throughout Western European segments of the Internet.’
The Sober worm uses a subject header in an e-mail to entice users to open an attachment and then replicates itself via an infected user’s address book. The most recent variant has been using the lure of free World Cup tickets to target users in Germany.
Figures released by IE Internet suggested virus infection remained stable in April at 7.55 per cent, but they were compiled before the emergence of Sober P. IE Internet also found that a considerable proportion of the viruses in circulation in April, including Netsky P which was the second most prevalent, had been around for a year or more. ‘Netsky P has been around since April 2004,’ said the spokesperson, ‘which suggests users are not updating their anti-virus software. They need to be more proactive in ensuring they protect themselves against viruses.’
The Netsky P virus also took second place in the list of top ten global viruses published by Sophos. Carole Theriault, security consultant at Sophos, agreed old viruses were still taking advantage of poorly protected computers. She described Mytob, the only new worm to break into the top ten, as ‘a nasty piece of work – not only does it spread ferociously, but it plants a backdoor Trojan horse which can be used by remote hackers to gain access and control over a victim’s computer. The computer can then be spied upon or used to send spam or launch denial of service attacks.’
In a busy week, Sophos also issued a warning the day after the UK election over a trojan worm hidden in a message claiming Tony Blair’s e-mail had been hacked. Clicking on a link in the message would take users to a Website which invisibly installed a Trojan horse that would attempt to install other malicious code a password stealer.