The Sober.X computer worm that began flooding inboxes last month masquerading as a threatening e-mail from federal investigators made a resurgence this week, with security experts now calling it the most prolific e-mail worm ever unleashed.
The junk traffic generated by Sober has bogged down e-mail systems at some of the nation's largest Internet service providers. For several days last week, subscribers of Microsoft Corp.'s Hotmail and MSN e-mail services experienced long delays in receiving new messages as the company struggled to filter out Sober-generated traffic.
San Carlos, Calif.-based e-mail security company Postini Inc. said it has quarantined more than 441 million Sober-infected messages since Nov. 22, twice as many messages as the largest previous attack on record, which was the Mydoom worm in January 2004. At the time, Postini intercepted roughly 8 million Mydoom-infected e-mails per day.
The Sober worm's spread peaked around Thanksgiving, then tapered off over the weekend, according to Andrew Lochart, Postini's senior director of marketing. Early this week, however, it staged a comeback. The company blocked more than 35 million Sober-generated messages on Tuesday alone.
"That's an exceptional number for a virus in a 24-hour period," Lochart said. "Things quieted down a little bit after a tremendous outbreak last week, but now this thing has gone back to pegging the needle."
The worm most often comes attached to an e-mail supposedly sent by the FBI or CIA, claiming that the government has discovered you visiting "illegal" Web sites and asking you to open an attachment to answer some official questions. Microsoft Windows users who click on the attached file infect their computers with the worm, which then e-mails copies of itself to every address found on the victim's machine.
Sober lowers security settings on infected machines, but unlike most e-mail-borne viruses and worms, it does not carry an overtly malicious payload. Rather, research unveiled Wednesday suggests the worm may be laying the groundwork for a new attack early next year.
Researchers at iDefense Inc., a Reston division of Mountain View, Calif.-based VeriSign Inc., unscrambled portions of the worm's code and found that infected PCs are programmed to download updates from a series of Web sites on Jan. 5. Whether those updates will include a new version of the worm or instructions for carrying out some other type of online activity is not clear to researchers.
Earlier this year, a Sober variant forced infected computers to spew out spam e-mails calling for the re-establishment of the Nazi Party in Germany. Jan. 5 coincides with the 87th anniversary of the founding of the Nazis in Munich.
Allysa Myers, a member of the virus response team with software maker McAfee Inc., said the worm will most likely fizzle out before that date arrives, as authorities have identified the update sites.
"There is some indication that the worm is going to try and upload new code to start a new phase in January, but at that point it is likely those sites will have been shut down," Myers said.