'FBI-Paris Hilton' worm, year's worst outbreak

Sober.Z is fast-spreading on the Internet in the form of an official e-mail from the CIA or FBI, which can leave your computer wide open to intruders. Netcore's Security Response team has the solution.

Got the FBI/CIA mail ?? Or a greeting from an un-expected friend ??? If yes, then you are probably one of the millions of victims, who faced the latest virus outbreak and this certainly proves that your corporate network is not safe. On Monday 21st Nov 2005, a major new variant of Sober had hit the Internet and doubled the email traffic worldwide.

Sober.Z is not the only variant of Sober series and this was not the very first massive outbreak, still taming this worm was very important for us as it had already managed to infect many other machines on the Internet and the velocity of traffic which we were receiving was tremendous. As with other recent variants of the Sober worm, Sober.Z used a number of different subject lines and message bodies. Spoofed email addresses suggest that the attachment was sent by a government authority such as the FBI or CIA and request that the attachment be opened to verify charges brought against the email's recipient. Examples of Sober Z subject lines include:

-- "Your IP was Logged"
-- "hi, ive a new mail address"
-- "You visit illegal web sites"
-- "Paris Hilton & Nicole Richie"
-- "Registration confirmation"

The e-mail informs the recipient that the user's "IP-address" has accessed more than 30 illegal Web sites and that the attachment contains a list of questions that need to be answered. The e-mail also includes an authentic phone number for the FBI or CIA.

How Emergic CleanMail tamed it ?
Emergic CleanMail, a software that filters e-mails, had stopped half a million copies of Sober-infected e-mails in the first 24-hours after the virus began circulating
1 of every 5 mails was having a Sober payload. Although our anti-virus engines had started detecting the worm, our top priority was still ensuring the smooth and effective flow of the genuine mails. In the first hit itself, our emergency response team realised that the best way out was to start blocking the virus at the connection level itself for smoother email flow. With the help of our custom developed Repeat pattern analysis engine we identified the repeated patterns of the virus mails and subsequently started throttling mails having those patterns. This not only helped us to subside the influx but also slowed down the zombie machines pumping in the worms.

Within 30 mins from the first hit on our servers, we managed to make the virus outbreak absolutely ineffective, hence safegaurding our customers. The genuine mails were not hampered because of the influx. Our users not only had the advantage of being protected from the new virus outbreak but at the same time also saved their bandwidth as compared to those who had mail traffic directly hitting their corporate server. Thus ensuring the safety and continuity of their mails and other applications that were dependent on Internet.

After this massive outbreak we are not only protecting 50,000 mail boxes but are also confident about taking on similar outbreak in the future.
IT managers were advised to actively monitor their outbound email traffic for evidence that they have been infected by Sober-Z, and not just rely on a firewall. "It's certainly a challenge for organisations to control email traffic just by using a firewall. IT managers can manage this particular outbreak by protecting HTTP and SMTP traffic," - ECM Team

The statistics in this report are estimated on the basis of the mail traffic arriving on the Netcore's Emergic CleanMail servers with an average of 1 million mails hitting the servers daily. The statistics represent the mail traffic for Corporate Indian Clients and doesn't account for traffic to free email addresses.