The Sobig worm war continues

Eleventh-hour efforts by security experts, Internet service providers and law enforcement apparently blocked the execution of a scheduled updating of the Sobig worm this weekend, but the venerable code continues to pose a threat.

The most recent variant of the worm, Sobig.F, was scheduled to contact servers this past Friday and Sunday to get an address, from which it would download additional instructions. At least 19 of 20 compromised computers identified as Sobig servers were taken offline or blocked, foiling the attempt. The remaining computer apparently was swamped by the traffic and was unable to upload its instructions.

But "Sobig isn't over yet," said Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va. "The worm is still spreading rapidly."

The worm's instructions call for it to continue trying to connect with compromised servers each Friday and Sunday between 3 p.m. and 6 p.m. EST until Sept. 10. That means four more attempts are likely, although Dunham said he is confident those attempts also will be defeated.

"Sobig is not your average worm," Dunham said. Since its first appearance in January, each succeeding variant has had more features and tricks than the predecessor versions. Based on this persistence, "I would expect to see new variants appear at or about the Sept. 10 kill date," he said.

The present version is extremely noisy, generating large volumes of e-mail in its efforts to spread itself. A handful of infected computers have generated 500,000 e-mail messages over a period of a few hours, Dunham said.

To foil the worm, security experts recommend computer users keep antivirus software updated, use firewalls, patch vulnerabilities and keep abreast of new releases. The worm uses outbound User Datagram Protocol Port 8998 to try to connect with servers and listens to UDP ports 995 through 999 for updates from its controller. Blocking these ports can help to cut off the worm.

Dunham speculated that whoever has released and rereleased Sobig is doing so with a purpose, not just seeking bragging rights.

"The motive behind the Sobig worm is apparently different from others," he said. "It appears the motives are for illegal purposes. We expect further variants will be seen in the wild."

William Jackson writes for Government Computer News