With the holiday season and its flurry of shopping, greetings and other online activities, also comes a bump in malware production. Proof of that came early this year with the proliferation of several versions of the Sober worm.
“Unfortunately for us, the holidays have historically brought with them an increase in malware activity,” Ed Moyle, manager of CTG Security Services, told TechNewsWorld. “There’s a good reason for that. It’s easier for malware authors to hide their activities during the holiday season.”
Moyle explained, “Folks are used to receiving e-mails from friends and relatives containing executable content, flash, slide shows, etc. If they receive an e-mail from a friend with the subject ‘Great Holiday Snowball Game’ that has an executable attachment, they are fairly likely to run it. Malware authors capitalize on this fact and camouflage their messages with seasonal messages.”
Letting Their Guard Down
The dangers of such tactics may be compounded by a lack of vigilance by cheerful computer users, since normal precautions such as deleting unknown executables will avoid the problem completely.
“It’s understandable that some folks drop their guard around the holidays. If everyone else in the office is playing the ‘super fun reindeer snowball game,’ not opening it because it could be unsafe can be less than fun,” Moyle said.
So far, there have been reports of four variants of the mass-mailer: Sober.S, Sober.T, Sober.V and Sober.W. They operate in much the same manner as previous incarnations, an e-mail attachment in English or German that, if opened, will search for e-mail addresses stored on the computer and mail itself to those addresses.
Known attachments to look out for are Exceltab-packed_list.exe; Liste.zip; Reg-List-Dat_Packer2.exe; reg_text.zip; Word-Text.zip; Word-Text_packedList.exe; Word-Text_packedList.zip.
Minimal Damage
The worm spreads quickly, Moyle said, but the damage to an infected machine is minimal, although mass mailings can slow down servers and networks. The latest versions use a more clever propagation method.
“Compared with the Sober variants we saw earlier this year (e.g. Sober.N), the new versions have updated an payload — what it does once it’s on a machine — and a propagation vector — the technique it uses to spread,” he said. “Previous versions opened a document in Notepad when the executable was run. This version displays an error message dialog — all in all, probably a more effective technique.”
Police in Bavaria, Germany, issued a press release Monday, warning of the expected outbreak. Sober’s writer is believed to be German, and Bavarian police have been trying to track down its author for a year.