The Sobig worm war continues

Eleventh-hour efforts by security experts, Internet service providers and law enforcement apparently blocked the execution of a scheduled updating of the Sobig worm this weekend, but the venerable code continues to pose a threat.

The most recent variant of the worm, Sobig.F, was scheduled to contact servers this past Friday and Sunday to get an address, from which it would download additional instructions. At least 19 of 20 compromised computers identified as Sobig servers were taken offline or blocked, foiling the attempt. The remaining computer apparently was swamped by the traffic and was unable to upload its instructions.

But "Sobig isn't over yet," said Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va. "The worm is still spreading rapidly."

The worm's instructions call for it to continue trying to connect with compromised servers each Friday and Sunday between 3 p.m. and 6 p.m. EST until Sept. 10. That means four more attempts are likely, although Dunham said he is confident those attempts also will be defeated.

"Sobig is not your average worm," Dunham said. Since its first appearance in January, each succeeding variant has had more features and tricks than the predecessor versions. Based on this persistence, "I would expect to see new variants appear at or about the Sept. 10 kill date," he said.

The present version is extremely noisy, generating large volumes of e-mail in its efforts to spread itself. A handful of infected computers have generated 500,000 e-mail messages over a period of a few hours, Dunham said.

To foil the worm, security experts recommend computer users keep antivirus software updated, use firewalls, patch vulnerabilities and keep abreast of new releases. The worm uses outbound User Datagram Protocol Port 8998 to try to connect with servers and listens to UDP ports 995 through 999 for updates from its controller. Blocking these ports can help to cut off the worm.

Dunham speculated that whoever has released and rereleased Sobig is doing so with a purpose, not just seeking bragging rights.

"The motive behind the Sobig worm is apparently different from others," he said. "It appears the motives are for illegal purposes. We expect further variants will be seen in the wild."

William Jackson writes for Government Computer News

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.