Sober variant causes new security hangover

By Matt Whipp

Posted on 24 Nov 2005 at 16:27

The latest virus epidemic continues apace, with F-Secure raising its threat-level to one, and Sophos reporting that more than 5 per cent of email traffic is infected by the latest variant of the Sober worm.

Sophos' numbers have actually risen on the count it gave for the worm in the first few hours when it was seeded - already a figure of more than one per cent.

The worm arrives in a variety of guises, purporting to have attached pictures of Paris Hilton and Nicole Richie, or claiming to have been sent by the FBI, CIA or German authorities, with evidence of its monitoring the recipient's Internet activities in the attachment.

What's confounding about this worm is that many predicted the age of mass epidemics was past and that virus writers were now concentrating on the financial rewards associated with extortion through DoS attacks, fraud through phishing campaigns and the like.

But the new versions of Sophos don't appear to have any other payload other than to spread themselves on. Even more flummoxing is that by all accounts the author has already attracted enough attention from the authorities, with the German police having accurately predicted the launch of another Sober -variant last week. So impersonating the German police, the FBI and the CIA in the most high-profile and widespread virus epidemic seems at the very least foolhardy.

Yet despite the media coverage the figures keep rising. Finnish security company F-Secure yesterday raised the threat category for Sober to Radar level one - its highest.

This too is odd. Customers of both F-Secure and Sophos were already protected. Virus signatures they had already issued to their customers would detect the worm and block it out. The same goes for McAfee. As it does for ZoneAlarm.

F-Secure's Mikko Hyppönen thinks that the problem might be viruses actually deleting antivirus products from computers they infect. 'There still are computers that are rarely updated - or which have been protected by an antivirus, but which at some stage got hit with a virus that removes the antivirus from the system for good. Most of the really widespread viruses have this as a standard feature nowadays ... viruses like Mytob, Bagle and Mydoom.'

So security on the desktop may no longer be about checking you're up to date with your antivirus software, it's also about checking your antivirus software is still there.