|
Sobig could be considered a rather harmless worm, if it weren't for the fact it is creating quite a mess on the Internet. It's not so much a matter of widespread infection as it is improperly configured mail filters.
Many companies DO have some method of filtering ingoing and outgoing mail, but their policies are only so-so. Take for example an email being sent by Sobig.F. It takes two random addresses from the local address books, puts one in the from field (sender) and another in the to field (recipient). Then it uses some really generic subject and message body phrases. And off it goes...
The mail filter at Company A sees that this email is infected with Sobig. Okay, so now it drops the file. But what does it do? I passes through the content? So now Company A has to contend with these almost empty emails coming from a fake address. But then Company A panics and calls the sender address at Company B, and managers at Company B panic thinking they're sending everyone viruses while I.T. is trying to calm everyone down.
OR another email goes to Company C, but their mail filter then determines "hey, this email was infected, we'll just deny it!" and a Mailer Daemon rejects the email, bouncing back to the sender address. NOW Company A gets back a bounced message, saying they were infected. So Company A Managers panic, I.T. panics, then realizes they aren't infected, and now Company A calls Company C and tells them they see these emails about Sobig, so then Company C is panicking...
All the while, Company D is just sitting back and relaxing because they aren't receiving any infected emails or bounce backs. But what Company D doesn't realize as well as the other companies, that it's their computers that are infected and using all of the clients in their address book. They're not getting the messages because they don't put their own contact in their address book.
If this scenario still doesn't make sense to you, that's okay, we'll recap:
1. If you receive an email that is infected with Sobig, it did not come from the address it says it did.
2. If you receive an email that isn't infected with Sobig but looks like a Sobig email, the outgoing mail server of the network it originated from deleted the attachment, but relayed the email anyway.
3. If you receive an email that isn't infected with Sobig, but looks like a mailer-daemon failed attempt, and it has your address on it as the return address, you did not send the message.
4. If you are infected with Sobig, then you probably don't know it and neither does anyone else.
The solution:
5. Keep your antivirus up to date.
6. Set up an incoming mail filter. If the email is infected, stop it and delete the entire email. Also filter message content generated by Sobig, to keep users from getting confused.
7. Set up an outgoing mail filter. If the email is infected, stop it, delete it, and do not send a mailer-daemon message back to the sender.
8. It is also useful to turn on MX Lookups for your mail filters, this will verify an email is coming from the correct domain.
You can get read more on Sobig.F here:
http://www.sophos.com/virusinfo/analyses/w32sobigf.html
A cleaning tool is available at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
Recent news article on Sobig:
http://money.cnn.com/2003/08/21/technology/sobig/index.htm?cnn=yes
|
