SoBig.F's continued proliferation is, ironically, due in part to a measure taken to combat its spread. Also prolonging its viability are the many home PCs that have incorrect clock times, experts say.

Internet security firm MessageLabs reported that Sobig.F was the third most prevalent virus in November, with over a quarter of a million copies detected by the company's servers. MessageLabs detected the most copies of SoBig.F in the United States, followed by Great Britain and South Korea.

These figures are only a fraction of those reported in August, when SoBig.F was clogging corporate networks across the globe. But security experts had hoped that Sobig.F would disappear, because it contains code that programs the virus to stop propagating itself on September 10th.

SoBig.F will be a problem "at least several more months," MessageLabs information security analyst Paul Wood told NewsFactor. It is clear that many PC clocks are "very much out of date, because the cut off date was September 10th, and some of the e-mails that we're stopping are dated several months prior to that."

Initial Success

The SoBig.F virus, the sixth SoBig variant, posed more of a threat than any of its predecessors. It sent more virus-bearing e-mails than any other mass-mailed virus. SoBig.F is "particularly virulent," Wood said, noting that it can generate up to seven spurious e-mails simultaneously.

Its peak infection date was August 19th. At that time, infected PCs were set to download additional software from 20 servers on Fridays and Sundays from noon to 3:00 p.m. PDT until September 10th. Had that scenario unfolded, experts feared the virus would have launched a new spam attack or allowed remote access to infected PCs.

Security experts worked intensely -- and successfully -- to avert the attack by locating the machines and warning their operators. The 20 servers were taken offline.

"The security industry reacted really aggressively to find ways to mitigate the damage," Yankee Group analyst Eric Ogren told NewsFactor. "They got an early warning, they looked at source code, they worked across organizations to make sure it didn't do all the stuff it was designed to do -- five stars for them."

Fix Is a Problem

When the servers that SoBig.F was programmed to look for were taken offline, it inadvertently gave the virus a longer life, Wood said. "By making those IP addresses unavailable to that stage of the virus, [the virus] will continue not only to spread by e-mail, but it will continue to monitor those IP addresses.

"In a sense, those infected machines are still checking to see if the mothership is there," he explained. (continued...)

1  |  2  |  Next Page >