Virus-Writers Using Spammer Techniques To Speed Spread

June 5, 2003
By Gregg Keizer, TechWeb News

Virus-writers may be using spamming technology to flood the Internet with malicious code.

At least that's the finding of two security firms that tracked the spread of Sobig.c, which debuted this weekend and was first noted for the bogus e-mail address of its sender, bill@microsoft.com.

Sobig.c may look like a run-of-the-mill mass-mailed virus, but it's actually evidence of a new trend in how virus makers distribute code, according to anti-virus researchers at Kaspersky Labs and Central Command.

Using spamming technology is a departure from the normal way virus makers launch their creations, according to Steven Sundermeier, product manager at Central Command.

Typically, he said, copies of the virus are first seeded with a limited number of users -- 100 is usual -- who then unintentionally spread the virus by e-mail and over networks as the worm propagates itself. The result: a slow start, with infection rates picking up as more computers are contaminated.

Sobig.c, however, seems to have been seeded using spam-style mass mailing techniques, the same used by junk mail marketers to drop spam touting everything from herbal remedies to sexual enhancers into users' inboxes.

"Rather than hundreds of seeded copies," said Sundermeier, "a spamming approach would put thousands, if not millions of copies of the worm into the wild simultaneously."

That would give security firms, corporations, and their users less lead time to note a new virus, and react to it to prevent infection.

Such tactics "could provoke global flood-attacks on the Internet, such as happened with Slammer, that could lead to the lowering of the network's productivity and even result in its decomposition into disconnected segments," Kaspersky Labs spokesman Denis Zenkin said.

Evidence that Sobig.c was spread via spam-style techniques is indirect, according to both Kaspersky and Central Command.

Although the worm contains code that specifies bill@microsoft.com as the sender's address -- similar to other worms, including last month's Sobig.b, which spoofed support@microsoft.com as the sending address -- security firms have noted that the overwhelming majority of messages carrying Sobig.c are not tagged with Gates' address.

"We're getting literally tons of e-mails that aren't originating from that address," said Sundermeier.

Other proof that Sobig.c is using a spam-like distribution method, said Kaspersky Labs' Zenkin, includes the large number of infections in a short amount of time -- according to MessageLabs, Sobig.c is now the most prominent virus on the Internet -- and the originating IP addresses of the mailed worm.

"Detailed analysis of the IP addresses at the source of Sobig.c mailings confirms the high probability of the use of spamming technology," said Zenkin.

Central Command is still analyzing the worm, including the source IP addresses, said Sundermeier, and is not yet able to confirm Kaspersky's conclusion. "We're doing the tracking now to see where they're originating," he said. "If there's a huge flood originating from a particular IP, then the possibility exists that it's being spammed."

Other security firms, such as Symantec, are also looking closely at Sobig.c. Sharon Ruckman, the senior director of Symantec's security response team, said her group was examining Sobig.c, but so far hadn't reached any conclusions about the worm's distribution method. Sobig.c spread faster than its immediate predecessor, Sobig.b, she said.

http://story.news.yahoo.com/news?tmpl=story&ncid=&e=5&u=/cmp/20030605/tc_cmp/10300197