Sober worm hangover finally draws to a close

The long-running IT security hangover caused by the Sober worm has finally come to an end, newly published threat monitoring data claimed today. According to the latest monthly malware report from Fortinet, the worm's activity "spectacularly dropped" on Jan. 6, as it made the transition from its spreading phase to an update phase.

"It's worth mentioning that after a careful analysis of the code, it is not going to go back to a spreading phase, ever" says Guillaume Lovet, threat response team leader at Fortinet.

However, he went on to warn: "The worm's authors - who have extensively proved that they were able to produce tremendously large outbreaks in the past - could very well seed new variants of the infamous 'propaganda' worm."

The study also found that, during last month, the biggest threat came from the rise of the Grew (aka Kama Sutra, Nyxem, MyWife and Kasper), which appeared on Jan. 16. Within two days, this virulent worm reached its highest peak of activity.

According to Fortinet's Lovet, the newly discovered Kama Sutra worm is an old-fashioned threat that looks like a legacy from the early days, when virus authors would write malware for "fun or glory," and not for making money.

"Within several days, Grew indeed infected hundreds of thousands of computer systems all over the world. Its payload is not set to spy on the infected users. It does not embed a bot, a proxy or a backdoor, nor does it display ads. Instead, it is set to damage files with the specific extensions on the infected computer, on the 3rd of every month" Lovet said.

Lovet went on to speculate why the only two large outbreaks in recent months have been caused by worms (Sober and Grew) that are not designed to generate profit: "This is consistent with our thought that cybercriminals willing to make money adopt a 'low-profile' attitude, and try to make as little fuss as possible."

"The fact various bot herders and phishers were arrested lately clearly indicates that high financial damage and/or large media coverage almost always lead you straight to courts," he added.

Fortinet's report also noted that January saw many variants of the Feebs worm emerging - on average, almost one per day. Among other features (rootkit, P2P propagation, reporting via icq, on-the-fly injection into emails sent by the infected user), this worm uses Javascript as its propagation vector. The worm body lays in an encoded string of a Javascript embedded into an .hta document. Whenever it runs, the Javascript decrypts the worm body, and executes it. The .hta document is then regenerated and mass-mailed by the worm engine.

According to Fortinet, this worm – though currently not posing a major threat - has the potential to become a "serious challenge" to antivirus companies relying on pattern-based signatures and binary emulators, but only if malicious hackers begin seed it aggressively and implement advanced polymorphism in its Javascript generation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.