June 04, 2003, 4:44 PM — The quick spread of the recent Sobig.C virus may owe more to the advances in spamming techniques than to the skill of an anonymous virus writer, according to a leading antivirus company.
An analysis of e-mail messages containing the new worm variant by Russian antivirus company Kaspersky Labs Ltd. revealed what appears to be a distribution pattern more akin to spam e-mail than a fast-spreading virus, according to Denis Zenkin, head of corporate communications at Kaspersky in Moscow.
Like the original Sobig virus, Sobig.C is a mass-mailing worm that spreads copies of itself through e-mail messages with attached files that contain the virus code.
The new variant was first detected late on Friday and spread quickly across multiple countries in the hours after it first appeared, according to a statement by Helsinki security company F-Secure Corp.
"It looks like the virus writer enhanced the virus' replication with spam technology to achieve greater spreading speed and global distribution," Zenkin said.
E-mail that is generated by a worm can typically be traced back to another infected machine, Zenkin said.
With the recent Sobig.C virus, however, Kaspersky researchers found that the machines responsible for distributing the virus were not infected with Sobig, leading Kaspersky researchers to theorize that they were "open proxy" machines used by spammers to conduct massive e-mail distributions, Zenkin said.
Open proxies are loosely managed machines connected to the Internet and open to trespass by outsiders. They are often home computers connected to the Internet using "always-on" DSL (Digital Subscriber Line) or cable modem connections, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd. in New York.
Without the initial spamming of Sobig.C e-mail, it is doubtful that the virus would have spread as quickly, Zenkin said.
While the virus has features that can grab e-mail addresses from files stored on infected machines, for example, lists of destination addresses for use by spammers are easily available online and could be used to "seed" the new virus to millions of machines at once, he said.
There is a "high likelihood" that Sobig.C used a spam engine to spread, Sunner said. The initial appearance of Sobig was unusual for viruses, spiking over the weekend and then quickly dying off, he said.
"It's certainly plausible that the virus writers may have kick-started replication with spamming techniques," said Chris Belthoff, senior security analyst at Sophos PLC.
However, spam is not the only way the virus spreads, he said.
"We're absolutely certain that the virus does replicate. We have reported cases of the virus replicating," Belthoff said.