The war on worms inches forward
- By William Jackson, Wilson P. Dizard III
- Aug 29, 2003
'I am confident that we will find the culprits.'
'FBI Director Robert S. Mueller III
As agencies sopped up the mess from recent rolling worm attacks, the FBI asked for help from the public in tracking down the creators of the virus-bearing bugs.
'We employ the latest technology and code analysis to direct us to potential sources, and I am confident that we will find the culprits,' FBI director Robert S. Mueller III said last week.
The FBI's Cyber Task Force is working with the Homeland Security Department and with state and local law enforcement to track down the perpetrators of the SoBig and MSBlaster worms.
'Protecting the nation's cyberinfrastructure is a top priority for the FBI,' Mueller said.
Eleventh-hour efforts by security experts, Internet service providers and law enforcement apparently blocked the execution of a scheduled updating of the SoBig worm, but the code continues to pose a threat.
The most recent variant of the worm, SoBig.F, was scheduled to contact servers Friday, Aug. 22, and Sunday, Aug. 24, to get an address from which it would download additional instructions. At least 19 of 20 computers identified as compromised servers were taken offline or blocked, foiling the attempt. The remaining computer apparently was swamped by the traffic and was unable to upload its instructions.
But 'SoBig isn't over yet,' said Ken Dunham, malicious code intelligence manager at iDefense Inc. of Reston, Va. 'The worm is still spreading rapidly.'
The worm's instructions call for it to continue trying to connect with compromised servers each Friday and Sunday between 3 p.m. and 6 p.m. EDT until Sept. 10. That means more attempts are likely, although Dunham said he is confident those attempts also will be defeated.
'SoBig is not your average worm,' Dunham said. Since its first appearance in January, each succeeding variant has had more features and tricks than the predecessor versions.
The current version is extremely noisy, generating large volumes of e-mail in its efforts to spread itself. A handful of infected computers have generated 500,000 e-mail messages over a period of a few hours, Dunham said.
To foil the worm, security experts recommend computer users keep antivirus software updated, use firewalls, patch vulnerabilities and keep abreast of new releases. The worm uses outbound User Datagram Protocol Port 8998 to try to connect with servers and listens to UDP ports 995 through 999 for updates from its controller. Blocking these ports can help to cut off the worm.
Dunham speculated that whoever has released and rereleased SoBig is doing so with a purpose, not just seeking bragging rights.
'The motive behind the SoBig worm is apparently different from others,' he said. 'It appears the motives are for illegal purposes. We expect further variants will be seen in the wild.'
William Jackson is freelance writer and the author of the CyberEye blog.