Sobig.F Strikes Deep--Into Our Pockets!

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The FBI, working with the Department of Homeland Security, says it's hot on the trail of the individual or individuals who released the W32.Sobig.F worm on August 19, 2003. According to their investigation, Sobig.F was introduced onto a pornographic newsgroup in Arizona over the previous weekend. The identity of the perpetrator was hidden by a bogus email account that was purchased with a stolen credit card.

What's It Really All About?

Meanwhile, speculation about the purpose of Sobig.F now leans away from terrorist activities and toward a money-making scheme. Investigators who have examined the code have concluded that Sobig.F was designed specifically to identify and infect vulnerable computers so that these same machines could later be used as proxies to proliferate spam. The authors of Sobig.F could then broadcast junk email messages at will, allowing them to sell their service to the underground network of spamming advertisers. The FBI, in examining the code, has concluded that this was not a "low-budget" worm, but a concerted, well-funded effort to bring the latest technology to the construction of an Internet-aware virus. The design of this distribution network was quite ingenious.

How It Was Supposed to Work

According to a Finland-based virus research team at F-Secure, 20 IP addresses linked to home computers in the United States, Canada, and South Korea and were destined to become the innocent and unwitting servers of the next set of instructions to all infected Sobig.F client machines. Though the Sobig.F client machines were set to continue proliferating the Trojan Horse email attachments until September 11, these particular servers were programmed to begin their transmission of new instructions on August 22nd, 2003 at 3:00 p.m. Authorities in these countries were quickly notified, and they raced to locate and disable these servers' proxies before they could be activated.

Meanwhile, at this writing, email security experts are witnessing a decline in the transmission of the bug. At the height of its infectious cycle, AOL estimated that it alone had found 23 million file attachments containing Sobig.F, while worldwide an estimated 1 in every 17 emails contained the Trojan Horse attachments. Today, the ratio is down to 1 in 50.

But security experts and email administrators are bracing for yet another round of Sobig-related spamming attacks. Their logic is simple: Sobig.A was introduced at the beginning of this year, soon followed by Sobig.B, C, D, and E. According to these experts, we can expect another round of attacks soon.

Microsoft in the Trenches

In response to a flood of more than 40,000 support calls about its Windows operating system, Microsoft reported that it pulled out all the stops and even enlisted executives to man the phones. Bill Gates was reported to be personally very concerned about the recent outbreaks, questioning support personnel about their strategies.

Executives within Microsoft must feel particularly chagrined: Microsoft has a $30 million contract with the Department of Homeland Security. Now, this same federal agency is helping FBI and local officials ferret out the perpetrators of these malicious pathogens.

The previous week, the Blaster.D virus made a mockery of Microsoft's touted Trustworthy Computing Initiative by invading Windows 2003 servers and shutting down businesses, including Air Canada. Subsequently, a second worm called W32.Welchia.Worm--written by a different author--invaded the same machines in an attempt to patch the damage accomplished by Blaster.D.

No sooner had these latest onslaughts subsided than Sobig.F sent Microsoft scrambling once again. All of these worms and viruses had specifically targeted the Windows operating system platforms. Linux, UNIX, and OS/400 servers were not affected. These events conspired to prove the continued vulnerability of Microsoft's Trustworthy Initiative, a real-world test that was catastrophic to administrators and users alike.

More Than a Perception of Vulnerability

Asked if the perception and the reality of Microsoft's security failures is threatening the Microsoft business, Jim Allchin, a vice president of Microsoft's platforms group, said "Yes. . . . I think it threatens business for everyone. It's not a Microsoft statement. I think that customers are afraid that their business is going to be jeopardized by the IT infrastructure, because they're so dependent on computers. That's a huge problem for the entire industry, and it's a huge problem for us. And I take it very, very seriously."

Yet, though Microsoft has already taken substantial steps in improving both the code within Windows and the delivery of patches to existing platforms, according to Allchin, Microsoft is having difficulty communicating these changes and notifying customers of problems. For instance, "...the Internet Connection Firewall is in Windows XP. It's been in there all along.... Why is it that people haven't turned it on? Well, we didn't communicate it well enough, I guess, because it does protect."

Why Isn't Microsoft Responding More Forcefully?

Asked if he believed that anti-virus protection should be included in Windows operating system packages, Allchin was evasive about Microsoft's future strategy "Some people might say, 'Antivirus, it's obvious you should include it.' Others would say, 'No, that's a business.' Others would say, 'Antivirus is the wrong solution, period. You've got to do an intrusion-detection/prevention system. That's really the answer.' 'Oh, should that be built in?' 'Oh, no.' 'Well, maybe you could charge extra for the enterprise version.' So, different people could have different views."

Asked specifically if Microsoft would release something soon to help remedy the problems of security, Allchin responded, "I don't know."

The Business of Security

Regardless of Microsoft's plans, one statement rings true: The computer security industry is business! Big business! According to Gartner Group, the market for computer-related security is now at $3.8 billion a year and is growing quickly. The fastest-growing sector of that business is in providing security against network-related pathogens like Blaster.D and Sobig.F, viruses that are specific to Microsoft products. Perhaps this is why cash-rich Microsoft continues to purchase new security technologies, possibly aiming them for release in the next version of Windows scheduled for 2005-2006.

Irony of the Virus Analog

Now, consider an irony of circumstance: Computer-related anti-virus efforts--and the costs of repairing the damages inflicted upon users--this year alone will dwarf some nations' entire budgets for research on the human-related HIV virus.

In this country, the National Institute of Health (NIH) has requested a budget of about $27 million, but it's doubtful that Congress will appropriate the full amount. Other countries are spending considerably less. What's wrong with this picture?

Though the thought that a computer virus is "more important" than a human virus may seem quite a stretch to many of my readers, clearly our machines are getting a better deal than their human counterparts.

August's attacks on computers are estimated to have impacted about 40 million individual machines. Two decades of HIV now infect an estimated 52 million individuals. (The Australian Federation of Aids Organisation says that on June 4, 2003, the total reported number of cases of HIV was 52,330,246).

The computing industry has made a mint by co-opting the "virus" analog to describe rogue programming agents. The spam industry is making a mint by propagating these agents into our expensive machinery. Computer anti-virus research teams around the world labor intensely day and night to protect our systems. And, as customers in the virtual world of the Internet, we are obliged to pay them all for their excellent and dedicated efforts. After all, our livelihoods and our businesses rely upon these systems.

But, personally, I would gladly point my anti-virus dollars--or at least some portion of those dollars--in a substantially different direction. And that's why, for me, Microsoft's efforts and claims that they are "doing so much" continues to ring hollow to my ears.

Author's Note: We received a tremendous response to last week's article "Time to Recall MS Windows?" Thank you! If you have comments or opinions on this week's column, please post them to the discussion forum at the end of this article.

Thomas M. Stockwell is Editor in Chief of MC Press. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Thomas Stockwell

Thomas M. Stockwell is an independent IT analyst and writer. He is the former Editor in Chief of MC Press Online and Midrange Computing magazine and has over 20 years of experience as a programmer, systems engineer, IT director, industry analyst, author, speaker, consultant, and editor.  


Tom works from his home in the Napa Valley in California. He can be reached at





Support MC Press Online

$0.00 Raised:


   Support MC Press Online

MC Contributors Header 785x150

Support MC Press with a contribution of any size.

Your support helps MC Press deliver free quality information about the new and legacy technologies you rely on to IT Professionals everywhere. Our goal continues to be helping you become more productive on the job and get more out of your career. Every contribution, regardless of size, furthers that goal.