A new variant of the Sober virus reared its ugly head over the weekend and continued to propagate right-wing messages in German and English this morning.
Sober is a mass mailing worm spread through a .zip file attached to the e-mail. Once the attachment is opened, the worm uses its own e-mail engine to send itself to addresses harvested from the infected computer.
“The propagation ebbs and flows, with spikes occurring primarily when European e-mail users are online,” said Scott Chasin, CTO, MX Logic. “For example, as e-mail users in Europe came online today, the MX Logic Threat Center saw the number of infected messages double.”
New Variants, Same Motive
As with other recent variants of the Sober worm, Sober.Q uses a number of different subject lines, message bodies and attachments, sent in both English and German.
If Sober determines it is being sent to an e-mail address with a domain generally reserved for a German language country (e.g., .de, .ch, .at, .li) then the worm sends messages in German.
Unlike most spam, the primary motive behind the Sober worm is pure propaganda. For example, the German language e-mail messages indicate that the recipient has won tickets to the 2006 World Cup, thereby enticing the recipient to open the attachment.
The English language messages, however, carry more mundane subject lines including “Mailing Error,” “Registration Confirmation,” “Your e-mail was blocked,” and “Your Password.” The body of the e-mails spread hate messages.
Chasin said Sober is yet another example of the increasingly sophisticated social engineering tactics that worm authors use to lure e-mail users into spreading the worm: “In this case, the authors not only leveraged both English and German language e-mails to spread, but it also capitalized on the current interest in Europe in 2006 World Cup Soccer tickets.”
Protecting the Network
Ken Dunham, the director of malicious code research at iDefense, a Reston, Va.-based threat intelligence firm, told TechNewsWorld that the Sober family first appeared in March 2003. iDefense currently reports 19 variants and lists the worm among its top 10.
“This is not your regular spam. This is truly propaganda,” Dunham said. From an administrative perspective you’ll see a whole lot of sober e-mails coming in through your gateway.
“It’s important to make sure anti-virus solutions are in place, although the Sober worms seem to be pretty successful for the first 24-48 hours. The bottom like is that this is an increasingly sophisticated attack that’s starting to gain success. We can expect to seemore Sober variants in 2005.”