While most Internet service providers (ISPs) have been successful in blocking e-mail messages containing the Sobig.F virus, traffic generated by infected machines continues to bombard e-mail servers worldwide and is having a measurable effect on key elements of the Internet infrastructure, experts said.
Sobig.F appeared on Tuesday and spread rapidly across the world through infected e-mail message attachments and unprotected shared folders on computer networks, according to warnings posted by leading antivirus companies.
The worm arrives in e-mail messages with nondescript subjects such as "Re: Thank you!" "Your details" and "Re: wicked screensaver." The worm code is stored in attached executable files with names such as "your_document.pif," "details.pif" and "movie0045.pif," according to F-Secure.
Thanks to a super-efficient SMTP (Simple Mail Transfer Protocol) engine built into the worm, Sobig can send out its own e-mail messages, skimming addresses from files on the computers it infects and targeting them with virus-tinged messages.
That has resulted in a massive increase in e-mail traffic to leading ISPs like America Online Inc. (AOL).
The Dulles, Virginia, company scanned about 38 million e-mail messages Thursday, four times the normal volume for August, according to spokesman Nicholas Graham.
Of those 38 million e-mail messages, almost 22 million were infected with the Sobig.F virus, Graham said.
"This is the fastest spreading e-mail virus we've ever seen impacting the Internet," he said.
But AOL has been able to limit the effect of that surge on its users, Graham said.
The company updated its virus definitions Tuesday morning to block Sobig-infected attachments and is blocking about 75 percent of the collateral e-mail traffic generated by Sobig, as e-mail gateways return automated messages to e-mail addresses that appeared in the "From" line of Sobig.F messages.
AOL has not seen a slowdown in the performance of its e-mail servers or on its network service, Graham said.
While Sobig and other recent worms like Blaster haven't caused massive disruptions, they have produced a measurable degradation in the Internet's performance, according to Andy Ogielski, president and chief scientist at Renesys Corp. of Hanover, New Hampshire, which monitors the Internet's routing infrastructure.
Since the emergence of Blaster on August 11, Renesys has seen a raised level of routing failures, particularly on smaller "edge networks," far away from the high-capacity Internet backbones, Ogielski said.
While the network failures are not comparable to the disruptions caused by recent events like the Northeast blackout on August 14 or the SQL Slammer worm in January, they are noticeable, he said.
"It's like a slow boiling over," Ogielski said.
At VeriSign Inc., which maintains two of the Internet's critical DNS root servers, Sobig's impact has been easier to measure.
The virus is programmed to send mail exchange (or "MX") record requests for domains targeted by Sobig e-mail directly to the "A" root server that VeriSign maintains, rather than to a local DNS server close to the infected machine, VeriSign said.
VeriSign has saw a 20-fold increase in MX record requests sent to the A server on August 19, shortly after Sobig.F surfaced, according to John Ferguson, director of marketing for the security services division at VeriSign.
That traffic surge has remained more or less constant since Tuesday and was still at 75 percent of the peak traffic level measured on Friday, Ferguson said.
That translates into "tens of thousands" of MX record requests per second, he said.
"We think (Sobig.F) is having a global impact just judging from the excess volumes of messages that are being sent and the unique way that they interact with the root server we manage," Ferguson said.
The increase in traffic is within the bounds of what the A server is capable of handling and hasn't produced any noticeable affect on the performance of the DNS system, he said.
Nor has the attack spilled over to affect other DNS root servers, such as the "J" root server, which is also maintained by the Mountain View, California company.
Still, by analyzing the Sobig.F traffic it has received, VeriSign estimates that "thousands" of networks are infected with the virus.
"A lot of users and networks out there are struggling to contain it," Ferguson said.
Despite the steady level of Sobig traffic over the past week, VeriSign expects the virus to begin trailing off in advance of its scheduled expiration date on September 10, as corporations get infected systems patched and back under control.
"How drastically declines and how long it takes to get there -- we'll have to wait and see," Ferguson said.