Sobig having measurable effect on Internet

While most Internet service providers (ISPs) have been successful in blocking e-mail messages containing the Sobig.F virus, traffic generated by infected machines continues to bombard e-mail servers worldwide and is having a measurable effect on key elements of the Internet infrastructure, experts said.

Sobig.F appeared on Tuesday and spread rapidly across the world through infected e-mail message attachments and unprotected shared folders on computer networks, according to warnings posted by leading antivirus companies.

The worm arrives in e-mail messages with nondescript subjects such as "Re: Thank you!" "Your details" and "Re: wicked screensaver." The worm code is stored in attached executable files with names such as "your_document.pif," "details.pif" and "movie0045.pif," according to F-Secure.

Thanks to a super-efficient SMTP (Simple Mail Transfer Protocol) engine built into the worm, Sobig can send out its own e-mail messages, skimming addresses from files on the computers it infects and targeting them with virus-tinged messages.

That has resulted in a massive increase in e-mail traffic to leading ISPs like America Online Inc. (AOL).

The Dulles, Virginia, company scanned about 38 million e-mail messages Thursday, four times the normal volume for August, according to spokesman Nicholas Graham.

Of those 38 million e-mail messages, almost 22 million were infected with the Sobig.F virus, Graham said.

"This is the fastest spreading e-mail virus we've ever seen impacting the Internet," he said.

But AOL has been able to limit the effect of that surge on its users, Graham said.

The company updated its virus definitions Tuesday morning to block Sobig-infected attachments and is blocking about 75 percent of the collateral e-mail traffic generated by Sobig, as e-mail gateways return automated messages to e-mail addresses that appeared in the "From" line of Sobig.F messages.

AOL has not seen a slowdown in the performance of its e-mail servers or on its network service, Graham said.

While Sobig and other recent worms like Blaster haven't caused massive disruptions, they have produced a measurable degradation in the Internet's performance, according to Andy Ogielski, president and chief scientist at Renesys Corp. of Hanover, New Hampshire, which monitors the Internet's routing infrastructure.

Since the emergence of Blaster on August 11, Renesys has seen a raised level of routing failures, particularly on smaller "edge networks," far away from the high-capacity Internet backbones, Ogielski said.

While the network failures are not comparable to the disruptions caused by recent events like the Northeast blackout on August 14 or the SQL Slammer worm in January, they are noticeable, he said.

"It's like a slow boiling over," Ogielski said.

At VeriSign Inc., which maintains two of the Internet's critical DNS root servers, Sobig's impact has been easier to measure.

The virus is programmed to send mail exchange (or "MX") record requests for domains targeted by Sobig e-mail directly to the "A" root server that VeriSign maintains, rather than to a local DNS server close to the infected machine, VeriSign said.

VeriSign has saw a 20-fold increase in MX record requests sent to the A server on August 19, shortly after Sobig.F surfaced, according to John Ferguson, director of marketing for the security services division at VeriSign.

That traffic surge has remained more or less constant since Tuesday and was still at 75 percent of the peak traffic level measured on Friday, Ferguson said.

That translates into "tens of thousands" of MX record requests per second, he said.

"We think (Sobig.F) is having a global impact just judging from the excess volumes of messages that are being sent and the unique way that they interact with the root server we manage," Ferguson said.

The increase in traffic is within the bounds of what the A server is capable of handling and hasn't produced any noticeable affect on the performance of the DNS system, he said.

Nor has the attack spilled over to affect other DNS root servers, such as the "J" root server, which is also maintained by the Mountain View, California company.

Still, by analyzing the Sobig.F traffic it has received, VeriSign estimates that "thousands" of networks are infected with the virus.

"A lot of users and networks out there are struggling to contain it," Ferguson said.

Despite the steady level of Sobig traffic over the past week, VeriSign expects the virus to begin trailing off in advance of its scheduled expiration date on September 10, as corporations get infected systems patched and back under control.

"How drastically declines and how long it takes to get there -- we'll have to wait and see," Ferguson said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?