PSA: Largest Virus Outbreak in Internet History (w/weekend update)
by annatopia, Fri Dec 02, 2005 at 08:10:51 AM EST
In this diary is a brief history and description of the virus, a list of service providers in the US that are currently affected, as well as tips on how to protect yourself from the SOBER virus or remove it from an affected computer.
On November 22, 2005, several new variants of the SOBER virus were created and unleashed on the internet. The ones which are wreaking havoc right now was the subject of a few diaries over at Dkos, the so-called "fake FBI emails". You can read about that particular variant here. In a nutshell, the message purports to come from the FBI, CIA, or a German police agency (one characteristic of the SOBER variants is that they are generally written in both German & English). The subject line in the email began as "You visit illegal websites" or "Your IP was logged". As the BBC reported:
The body text of the message makes it appear as if the recipient has been caught by the FBI, CIA or BKA browsing 30 illegal sites and asks them to fill in an attached form about this activity.
Anyone clicking on the attached form gets a fake error message while, in the background, the virus starts plundering an infected PC for e-mail addresses to send itself to.
If you receive an email purporting to come from the FBI for at least the next several weeks, DO NOT OPEN IT. DELETE IT IMMEDIATELY..
Because this virus has been spreading so successfully, copycats are taking advantage of it and have added many additional subject lines and email bodies. Here are a few examples of what you should keep an eye out for. First, any attachments named Exceltab-packed_List.exe, Liste.zip, Reg-List-Dat_Packer2.exe, reg_text.zip, Word-Text.zip, Word-Text_packedList.exe and Word-Text_packedList.zip. DO NOT CLICK ON THESE ATTACHMENTS OR YOU WILL BECOME INFECTED. If you happen to open an attachment - which many of us are prone to do this time of year as email traffic increases around the holidays - you will get a message on your computer screen which reads "WinZip Self-Extractor. WinZip_Data_Module is missing ~Error". Some other subject lines used to propogate this virus are: "Paris Hilton, pure!" and "Paris Hilton SexVideos". Another email variant looks like this:
Subject line:
I've_got your EMail on my_account!
Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
Attached file:
your_text.zip
Original reports assumed that this virus would not be much of a threat. It's your typical "plunder your email address book and propogate" virus. However, it's now been upgraded to a "medium" threat, and I expect that it'll be upgraded to "high" any moment now due to the way it's affecting many ISPs.
In November, the new SOBER variant accounted for a whopping 43% of all malicious code spread on the internet and tracked by security firms. One email security provider snared 218 million SOBER-infected emails in the last 7 days alone, which is over four times as many messages as they normally catch in a one month period. Other security firms are reporting similar numbers. The anti-virus provider that we use here at Verizon has seen a similar increase in the number of virus-infected emails.
Now, like I said, this isn't a very nasty virus but the email traffic it has generated has essentially killed virus-scanning services at several providers. The providers that are known to have down-graded service at the moment are AOL, Yahoo, Verizon, and MSN/Hotmail. I'm sure there are others (especially smaller ISPs who don't have the server capacity that we do) but I've only dealt directly with the ones I've mentioned.
Here is what is happening. All of those providers have anti-virus server farms which scan incoming mail for viral attachments before it is delivered to the user mailboxes. If a virus is detected, it is removed and then the mail is delivered. The flood of SOBER worms crashed the anti-virus farm maintained by MSN/Hotmail. Because that farm was overloaded, mail could not be delivered to the user mailboxes. All that mail got bounced back to the original senders and is now queueing up at other ISPs. For example, right now we at Verizon have a few million messages queued up destined for MSN/Hotmail users that we cannot deliver due to their A/V farm crashing. MSN is working to bring the entire A/V farm back online, but right now they are working with a LOT LESS capacity than they normally have. AOL has been very proactive in working with us to try and mitigate the damage. So far their A/V farm is holding up (barely), but like us they are queueing messages like crazy. We've just begun to get reports that mail is queueing for Yahoo as well. I suspect that their A/V farm is straining under the load.
As a user, this might just sound like a bunch of garbage, but here is what you will notice. If you send an email, it might not get delivered immediately. It might even bounce back to you in a few hours or a few days (depending on how your ISP has their servers configured) saying it was "undeliverable". Say you send an email to your friend who has a Hotmail address. You call them a few hours later and they have not gotten the message, yet there is no bounceback in your email box. What's happened is the email is sitting on your ISPs mail server waiting to be delivered to MSN. That email may or may not get through, depending on how quickly we can all resolve this issue.
If you are using Hotmail or MSN, you are most likely not receiving all your email right now. If you are using AOL, you should be getting most of your email into your inbox, although outbound mail delivery is delayed to some providers. If you're using Yahoo, you should be recieving all inbound mail, but outbound delivery is being delayed. At Verizon, both our inbound and outbound mail service is functioning just fine, but some outbound mail destined for MSN/Hotmail or Yahoo is being delayed because we can't deliver it to their overloaded servers. I'm putting this out there because you folks need to know what's going on, and you need to know why it's happening so that you don't think we're all broke-ass right now. And please, don't yell at your tech support people if you're experiencing these issues. We all know what's going on right now and we're working on it.
The best way to protect yourself from becoming infected to is go ahead and buy some good anti-virus software. There is no excuse NOT to have virus protection if you are going to be on the internet. I say that as someone who's dealt with end-users and as someone who fights the spam battle every day. Get an anti-virus program before it's too late. If you already have A/V software, please make sure you have the latest update. I'd recommend either McAfee , Symantec, or Trend Micro. All three are good solid security providers who do a great job of staying on top of these outbreaks. Trend Micro also offers a free online scan of your PC. It is a good habit to scan your PC at least weekly, and especially during times of high virus outbreaks. Please, if you have not done so recently, go scan your computer.
Now, if you are infected with the SOBER worm, you can remove it by using Trend Micro's sysclean package, which is free. If you already have A/V software from Symantec, Trend Micro, or McAfee, use your "Live Update" feature to download the latest versions and cleanup tools for free.
Make sure that you turn off System Restore before running any scans. This is very important, because Windows can and will restore trojans and viruses if you don't turn this off before cleaning up your PC.
Anyway, I hope this was helpful information. Please be aware of what's happening right now, be super careful when you're checking your email, and please be patient with your ISPs as we all work together to clean up this mess.
update: I've just been informed by one of our Security employees that Comcast is affected as well. When this started a few days ago, Comcast actually shut off all transmission to MSN/Hotmail because the load was threatening to take down Comcast's mail server network. They did it as a protective measure, to ensure their users would still be able to send and receive email to everyone else. They've since reconfigured their servers to queue mail for MSN/Hotmail after adding some capacity. But they're in the same predicament as Verizon at this time. So, Comcast cable modem users, you might be having some email issues, too. You should be receiving your mail just fine, but anything destined for MSN/Hotmail will be delayed.
update: Great news! I've just been informed that MSN is finally getting a handle on what's happening on their network. I can't go into details about what they did, as it's surely proprietary info. But we have been notified by MSN/Hotmail that their A/V farm is back up and running with increased capacity, and that normal delivery has resumed. They estimate that it will take at least until Sunday for everything to "get caught up" and back to normal, but the good news is that with co-operation from the larger ISPs, MSN has been able to recover their server farms. Still, do expect some email weirdness over the next few days as things catch back up. Whew! What a day...
weekend update: There have been several diaries posted around the lefty blogs today that relate to these type of technical issues, so I thought I'd post a weekend update.
First of all, regarding the outage at Dkos, I don't think that anyone should speculate on why it's down right now. They've been offline since last night, and I'm sure that they're working as hard as they can to bring it back up.
What I will say is this. If you run a few tests, you can see that the IP address of www.dailykos.com responds to pings, but the port that runs the webserver is not responding. Without knowing what type of configuration they run over there, we can safely assume that the server is up but the application which serves up dailykos.com isn't running. As a tech person, I would sincerely suggest that you *not not try to load www.dailykos.com* for several hours. In a situation like this, where you have a high volume customer facing server offline, the last thing you need is people trying to hit the box while you're trying to bring it back up. So, as a tech, I advise you to just check back with them this evening. And besides, as soon as it's up you know someone will post a diary all over the place.
Ok, moving on to the SOBER virus. I've read a few comments from Earthlink users who say that Earthlink is actively removing the virus and sending notices to their customers. So you can add another affected ISP to the list.
It also looks like whatever MSN/Hotmail did last night worked. I can say that mail delivery from our network is catching up nicely. I think it's safe to assume that the same thing is happening at the other ISPs who could not deliver mail to MSN/Hotmail this past week. Don't be suprised if you see an increase in email into your Hotmail boxes.
Allright, now let's move on to the continued SOBER threat. First off, MAC users, you are not safe. Apple has released a "highly critical" update which patches 13 flaws, including some in their Safari browser. You can download the update by scrolling to the bottom of the security advisory.
CNET posted a good overview of the situation, which has been compounded by the release of two new windows viruses. If you google search for "SOBER virus", you can find more information and articles, although there isn't too much new information available at this time. Basically, the virus continues to spread and everyone's still fighting it.
I'd also like to mention that this outbreak can affect the amount of time it takes for you to load web pages. I'll try to break it down to non-tech speak.
Think of web traffic as cars on a freeway. Email packets are little Honda Civics, web pages are Toyota Corollas, and mp3s and videos are SUVs. They are all on the freeway together. Normally, your Honda Civics don't take up a lot of space. But then let's say we have a new generation of drivers reach legal age simultaneously and they all go buy a Civic and join the traffic on the freeway. You're going to get some extra congestion and traffic won't flow as smoothly as it usually does.
That's what's happening right now due to this viral outbreak. The internet freeway has gotten much more crowded over the past few weeks. Things are going to slow down. And just like your regular freeway driving, there will be accidents here and there. Those accidents are analogous to things like a viral outbreak on a particular network, or a server farm going down at MSN. Traffic has to re-route, which leads to the other freeways being even more crowded.
This might be one of those days where it's better to go outside and work in the yard rather than sitting on the internet. =) Anyway, I'm glad you all found this information valuable. Have a great weekend. I'll update again later if neccessary.
one more update: Dkos is down because their webhost did a physical move of their servers. Something got messed up, as is likely to happen at times, and they're working as hard as they can to bring it back online. So, back off his server for now and try again in a few hours.
Tags: (all tags)
-----------
myDD - skin
-----------
26 Comments