SoBig.F Packs Few Design Surprises

The self-updating capability that had anti-virus experts scrambling was in fact present in some of the earlier versions of the virus; nonetheless, SoBig.F still concerns them.

It turns out that SoBig.F is even less original than previously thought.

The self-updating capability that had anti-virus experts, users and even the FBI scrambling this weekend was in fact present in some of the earlier versions of the virus, albeit in a somewhat less advanced form.

"That capability was in previous versions. I think what set off the red flag this time is the prevalence of this version and the potential for what could happen," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., in Islandia, N.Y.

A couple of anti-virus vendors on Friday announced that they had discovered a new feature of SoBig.F that instructed infected machines to connect to one of 20 IP addresses that were hidden in the viruss code. The PCs were then supposed to download and execute an unknown file. Security experts feared that the file could be a Trojan or some tool for launching a broader attack.

However, authorities were able to locate and shut down the vast majority of the 20 machines, and the expected onslaught of activity never materialized. The self-updating capability was first seen in SoBig.C, but until this latest version, none of the viruses had the list of IP addresses for infected machines to contact.


Although they were able to deflect the mystery attack, anti-virus experts nonetheless are still worried about the long-term implications of SoBig.F. The virus spread more quickly than any other piece of malware in history and has infected countless machines. It is the sixth version of the SoBig virus to appear, and each iteration of the virus also contains an expiration date, after which the virus is programmed to stop trying to spread.

These facts have led some experts to speculate that the SoBig viruses are being written, released and subsequently improved upon by professionals who have some larger goal in mind than simply flooding inboxes with useless e-mail.

The fact that some portion of the self-updating feature was in previous versions of the virus would appear to bolster the argument for this trial-and-error scenario. But some in the anti-virus community dont buy it.

"We havent seen any evidence of this being used as a mechanism for sending commercial spam," said Chris Wraight, technology consultant at Sophos Inc., an enterprise anti-virus company based in Lynnfield, Mass. "Its definitely weird that a new one is released so often. Its almost like beta testing."

Discuss this in the eWeek forum.