The Sobig worm war continues

Eleventh-hour efforts by security experts, Internet service providers and law enforcement apparently blocked the execution of a scheduled updating of the Sobig worm this weekend, but the venerable code continues to pose a threat.

The most recent variant of the worm, Sobig.F, was scheduled to contact servers this past Friday and Sunday to get an address, from which it would download additional instructions. At least 19 of 20 compromised computers identified as Sobig servers were taken offline or blocked, foiling the attempt. The remaining computer apparently was swamped by the traffic and was unable to upload its instructions.

But "Sobig isn't over yet," said Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va. "The worm is still spreading rapidly."

The worm's instructions call for it to continue trying to connect with compromised servers each Friday and Sunday between 3 p.m. and 6 p.m. EST until Sept. 10. That means four more attempts are likely, although Dunham said he is confident those attempts also will be defeated.

"Sobig is not your average worm," Dunham said. Since its first appearance in January, each succeeding variant has had more features and tricks than the predecessor versions. Based on this persistence, "I would expect to see new variants appear at or about the Sept. 10 kill date," he said.

The present version is extremely noisy, generating large volumes of e-mail in its efforts to spread itself. A handful of infected computers have generated 500,000 e-mail messages over a period of a few hours, Dunham said.

To foil the worm, security experts recommend computer users keep antivirus software updated, use firewalls, patch vulnerabilities and keep abreast of new releases. The worm uses outbound User Datagram Protocol Port 8998 to try to connect with servers and listens to UDP ports 995 through 999 for updates from its controller. Blocking these ports can help to cut off the worm.

Dunham speculated that whoever has released and rereleased Sobig is doing so with a purpose, not just seeking bragging rights.

"The motive behind the Sobig worm is apparently different from others," he said. "It appears the motives are for illegal purposes. We expect further variants will be seen in the wild."

William Jackson writes for Government Computer News

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.