Sober Still Accounts For 4 of 5 Worms, Viruses
"It's had quite the impact," said Graham Cluley, a senior technology consultant with Sophos. "Although it's not on the level of a really major worm, like Sobig of last year, Sober is the biggest we've seen so far this year."
The worm broke Monday and quickly gained steam in Western Europe before hitting American PCs. Within hours it dominated the malware charts by making up 70 percent or more of the malicious code traffic spotted by anti-virus monitoring stations.
Contrary to some analysts' expectations, Sober hasn't yet slowed. It's been spotted in 40 countries so far, said Cluley, and currently accounts for 79.6 percent of all worms and viruses making the rounds.
"Sober is very much hanging in there," said Cluley. "Right now, it's accounting for 5.3 percent of all e-mail, legitimate or otherwise. Over 1 in 20 e-mails, in other words, is Sober. That's ferocious."
While the worm doesn't carry a malicious payload as such -- no backdoor Trojan, no keylogger, no ability to turn the infected PC into a spam-spewing proxy -- it's slowed down e-mail traffic and clogged users' inboxes around the world.
"At this point," said Cluley, "it's actually less of a virus problem and more of a spam problem. Copies of Sober are making up a significant portion of all e-mail, and an even greater percentage of spam."
He recommended that users update their anti-virus software and refrain from opening unsolicited attachments. "No one should be fooled into thinking that e-mail viruses are a thing of the past," said Cluley.
That reference was to the recent trend among security analysts who have predicted the impending demise of mass-mailed worms. The e-mail delivery system, so the theory goes, will diminish in importance as attackers concentrate on more profitable tactics, such as network worms, instant messaging malware, and operating system vulnerabilities.
"We're scratching our heads, wondering why on earth they're saying this," said Cluley. "The death of e-mail worms, as Mark Twain said, has been greatly exaggerated.
"Everyone has an e-mail address," he pointed out. "That's why virus writers, for a long time to come, will continue to write e-mail worms. If nothing else, Sober proves that [mailed worms] still work."
Wednesday's five-year anniversary of the debut of the Loveletter worm -- a landmark event in worm history for its social engineering tactics -- also is of interest now, said Cluley because of Sober's success.
Loveletter, which appeared May 4, 2000, used an attachment titled "LOVE-LETTER-FOR-YOU.TXT.VBS" to tempt users into opening the file. It played on users' curiosity, a flaw that virus writers still exploit, said Steven Sundermeier, an analyst with Central Command, another anti-virus firm. "Virus authors today are still heavily relying on social engineering, that is, naming their files creatively in an attempt to pique user curiosity and trick them into running their creations," he said in an e-mail.
In fact, Sundermeier continued, the five most prevalent pieces of malicious code during April "are nothing more than average e-mail worms not much different in terms of complexity and spreading procedures than that of Loveletter."
Sober definitely fits that description, said Sophos' Cluley. "The reason Sober is so successful is that it's giving people a real incentive to open the attachment. That's why lots of people fall for it."