FBI fingered for new Sober virus

By Matt Whipp

Posted on 22 Nov 2005 at 17:43

A new variant of the Sober virus has ired the FBI, with claims it was sent by one of its agents.

The latest twist in this worm's long tail seems particularly audacious in that the authorities already appear to be closing in on the author.

Earlier this month the Bavarian police claimed to have intercepted information which led them to believe new versions of the Sober worm would be released the following day. And they were right.

This latest Sober worm will no doubt put the FBI on the author's case as well. It claims to have been sent by an FBI agent with the message:

'We have logged your IP-address on more than 30 illegal Websites.

Important: Please answer our questions! The list of questions are attached.
Yours faithfully,
Steven Allison
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220 Washington , DC 20535
Phone: (202) 324-30000'

That 'list' of questions is attached as a .zip file and in fact contains the virus. Should the recipient open the attachment, it copies the worm to the hard drive, which then scours the system for email addresses to which it can send itself on to.

The FBI responded on its website: 'These e-mails did not come from the FBI. Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner ... The FBI takes this matter seriously and is investigating. While the address and phone number for the FBI is correct in the email, users receiving e-mails of this nature are encouraged to report it to the Internet Crime Complaint Center via http://www.ic3.gov.'

Graham Cluley, senior technology consultant with UK security company Sophos claimed the author's actions are tantamount to 'poking a grisly bear with a sharp stick'.

The virus is being spread in phenomenal numbers. Cluley said that his current figures have the new variant accounting for 65 per cent of email virus traffic and one in 75 of all emails.

This throws up a baffling problem. Sophos is already detecting this virus with a generic signature issued. McAfee detects it with definitions issued a week ago for the last set of Sober variants. So does F-Secure. So how is it possible that the Internet seems awash with instances of this virus, if most people are already protected against it? Cluley told us that it may be other antivirus companies' virus signatures didn't already have detection. It could also be that the traffic being detected is simply the result of infected emails being spammed out in order to seed an epidemic, rather than evidence of infected systems.