A SoBig surprise this afternoon?

A SoBig surprise this afternoon?

The SoBig.F worm that infected hundreds of thousands of computers around the world this week apparently carries an encrypted payload set to activate this afternoon. What the results will be, however, experts cannot say.

'Unfortunately, we don't know what this thing will be that is set to be downloaded,' said Dee Liebenstein, group product manager for Symantec Security Response, a part of Symantec Corp. of Cupertino, Calif. 'That is a mystery to us.'

The worms are set to synchronize themselves from a central time source and execute the payload code at 3 p.m. Eastern time, noon Pacific time. Each worm will contact one of 20 computers in the United States, Canada and South Korea and receive a Web address from which infected computers will download and run a program.

'These 20 machines seem to be typical home PCs, connected to the Internet with always-on digital subscriber line connections,' said Mikko Hypponen, director of antivirus research at F-Secure Corp. of Finland. 'Most likely, the party behind SoBig.F has broken into these computers, and they are now being misused.'

Hypponen said that although the worm's payload has been decrypted, researchers have not been able to find the target Web address and examine the program to be downloaded.

'There are efforts underway to shut down these master servers,' Liebenstein said.

Because the infected computers are widely distributed geographically and it is not known what functions they are performing, shutting them down is not simple.

Representatives of the Homeland Security Department and the CERT Coordination Center at Carnegie Mellon University were not available for comment.

Although SoBig.F is generating huge volumes of unwanted e-mail and clogging networks in its effort to spread, infection has not been unusually rapid or widespread. Liebenstein said.

At the peak of the Klez.H worm outbreak, Symantec received 4,516 infection reports on one day. BugBear.B generated 4,812 submissions on one day. 'SoBig has peaked at 1,800 submissions per day,' Liebenstein said. 'It's creating a lot of e-mail, but we're not seeing as many submissions.'

Symantec offers a free scanning tool to determine whether a computer is infected by SoBig, and a free tool to clean infected machines.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Pushing cybersecurity for counties

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group