MALWARE HISTORY

2003 – Sobig and the Botnet

Although the Win32.Sobig worm had been spotted in isolated locations since January, it did not start causing trouble until August, with the advent of its Sobig.f variant. Spreading via e-mail, the Win32.Sobig worm s thought to be the first organized attempt to create large-scale Botnets (networks of compromised systems that can be remotely controlled by a bot herder).

Normal
0

21

false
false
false

DE
X-NONE
X-NONE

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

The main reason
for writing Win32.Sobig is alleged
to be an attempt to create a huge network of zombified computers in order to
conduct DDoS attacks on corporate servers.

Win32.Sobig caused a huge
epidemic: one in 20 e-mail messages was infected with the worm. It is alleged
that Win32.Sobig is the mail worm
that holds the record for the most infected machines worldwide.

Another e-mail
worm attacked right after Win32.Sobig.
The Tantalos.b was the first of its
family to exploit the Iframe vulnerability in MS Outlook in order to
automatically execute itself. Although it could not match the damage caused by Win32.Sobig, Tantalos scored second in the top of the most aggressive e-mail
worms in 2003.

The Sobig incident prepared the ground for
another Trojan. Sober built on the
panic created by its predecessor in order to spread and multiply at will.
Although it is just a Sobig clone, Sober came with some innovative features:
the accompanying e-mail message was written in a plethora of languages. The
Trojan would detect the user’s language by looking up the destination IP
address. In order to convince the user to execute the attachment, it posed like
a removal tool for Sobig.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.