SoBig: Worst is Yet to Come

bl8n8r writes "Experts say when vacationers get back to work Monday, Inboxes will unleash the worms worst attacks. Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems. "

Ouch!

[Shadow2097]

I've been dealing with literally thousands of emails coming into my office just today! The sales people are having a running contest to see who gets the most infected emails every hour. So far the winners are usually at ~150/hour.

Normally we don't block emails with specific attachments at our post office because it takes too long to scan them. Our company of 100 people averages 14,000 legit email per day in and out, but with this outbreak as bad as it is (and not peaked yet!) the blocking is being instated tonight.

While musing with a programmer here who just moved her daughter into college, we brought up an interesting thought: Hundreds of thousands of college kids are moving back into dorms with huge fat pipes and Outlook style email clients on computers that haven't been patched since April or May. Yikes!

-Shadow

Re:Cost Benefit Analysis

[stinkwinkerton]

I'm not sure if this should be +5 funny. It is a real option for some users.

I have known many people that actually know they have a virus on their computer and don't make it the first priority in using their systems... if it is usable by them, they don't care.

Of course, this sort of person doesn't have the slightest understanding (or care) that their system is causing a variety of problems on other systems.

They only seem to care if it is causing THEM some problem.

I've long since given up trying to explain what is going on to these folks or the urgency of solving their own virus problem in a timely manner. I make sure that their system is as up-to-date as possible and make sure their virus protection software automatically updates as frequently as possible.

And, recently, these are the folks that I have broken my long standing rule on, and configured "Windows to update automatically" and not wait for the user to OK it.

Save procmail recipe

[Frodo+Looijaard]

The following should be a safe procmail recipe that only matches the virus, and nothing else:

:0B:
* ^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA$
virus

NB: This may not be rendered correctly; there should be no space in the string of A letters.

The idea is courtesy from the macosx forum

It's been abating in my corner of the internet

[zenyu]

My ping times to www.mit.edu (my personal benchmark, as its on the next POP over and always up) are normally 25ms from home, they grew slowly from about 30 ms Monday morning to as high as 2600 ms yesterday with 2/3 packet drop. But today and especially in the last few hours it's fallen back to about 29 ms with 1/3 packet drop.

There are still occasional storms, I guess as a new host gets infected nearby. But things are good compared to the last two days when I couldn't even listen to internet radio and plain old web browsing and e-mail were slow...

BTW I haven't seen any of the e-mails myself do to our spam filter but I have gotten some returned e-mail the virus sent and a non-tech friend who got this one and another friend (who's very non-tech) got last weeks virus. I usually don't personally know the people who get these things, it has been a good week for discussing an OS upgrade to Linux with non-techies ;)

Re:Cost Benefit Analysis

[shepd]

>I've long since given up trying to explain what is going on to these folks or the urgency of solving their own virus problem in a timely manner.

Try this one:

"Some these viruses have been known to attmempt to destroy the computers of various military installations. The penalty in many countries for this is death. The penalty in YOUR country is a federal jail term. You may want to consider purchasing a $60 upgrade to your computer to help you avoid this problem in the future."

Re:school's in!

[Skweetis]

Sorry to reply to my own post. The quarantine partition (I save out dropped messages for a while, just in case of a false positive or something) on the mailserver just hit 90%, and it's 100GB. It was somewhere around 5-10% this morning. Not a good day.

Re:Cost Benefit Analysis

[Electrum]

With eight IT dudes running around fixing all of the Wintel systems

No "IT dudes" worth anything will be "running around fixing" things. If they had done their job properly in the first place, they wouldn't have to fix anything at all.

Re:Skeptical

[NexusTw1n]

It depends on how clueless your email admins are.

Rather than blocking .scr/Pif/.exe and deleting any email with such an attachment, they are letting the group virus scanner on our exchange servers deal with the entire load.

So the virus scanner is scanning and moving to the infected folder literally thousands of these an hour. After it moves the infected message, it generates a nice email letting you know an email that was sent to you is currently in quarantine. Therefore this is generating even more work for the mail servers. Turning off this feature for a couple of days is apparently too much trouble.

The servers exchange is running on are therefore hanging every few minutes with all the disk and processor activity. Everyone gets a message every few minutes about "please wait, connecting to server" until you get fed up and close outlook down for the day.

This is the first virus I've ever seen to disrupt my work like this. But this is 100% the fault of our email admins who can't be bothered to write a couple of simple mail rules.

At the basic internet security zone Outlook can't even open .scr and .exe attachments, so why they don't delete this crap before it hits the servers I don't know.

Some companies deserve it

[EZmagz]

My company being one of them. The place I currently work (fuck it, I hate working there anyway...it's 3M, the Scotch Tape(tm) people) is a disaster zone right now. The entire IT staff is contract-only. There is no centralized IT plan for keeping systems up-to-date, beyond updating the software when the PCs come in for repair or an upgrade. That gives some users a 5 year timespan when no service packs are installed.

This week alone our entire department has been thrown around, manually patching EVERY box on the network. That's around 50,000 computers. Today alone I ran across probably 10 Windows NT boxes that were still running THE FIRST SERVICE PACK!

My point is, I do NOT feel sorry in the least when companies like 3M lose millions of dollars because they don't hire a competent IT department. Hell, out of the 20 guys I work with, only myself and two others graduated from a 4 year college. Whatever. For the last four days when full-timers have been bitching at me while I upgrade their PC because their order-tracking software won't work, I just smile and tell them "you get what you pay for. Tell your bosses to hire a competent IT department and you'll never have this problem again." Then I walk away and sigh because I know it'll never happen. Guess paying a contracting firm $40/hr so they can turn around and pay me $13/hr while they get to save themselves from paying benefits is worth the millions of dollars in downtime.

Re:Sobig not really M$'s fault

[ratfynk]

Why the hell would I use wine to open e-mail under linux? Linux is not spreading this shit the MS UI is. Get your facts strait. The fault is entirely MS they are counting on this kaos so that they can step forward with the ultra secure win 2003 server and then the Longhorny security solutions. Your are spreading fluff and fud! Yes everyone is going to rush and secure their computers with Longhorny. But as Ben Franklin said "Those who sacrifice freedom for security will gain neither."

Email notification: A cure worse than the disease

[greywalker]

"Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems."
My experience with this virus may be abnormal, but I have to completely disagree with that statement. As a dispatch tech for a large state university, I've been up to my eyes in emails related to the virus, but have only found However, the amount of email traffic on campus has been mind-boggling -- it even took down our mail servers a few times. And less than 10% of the emails were from the virus. Most of them were f*cking auto-notification emails from other servers that someone had sent the damn virus, which thanks to the spoofing feature, was almost never true. Why don't server admins turn off such notifications when dealing with a mass-mailer/spoofer virus? All these assorted servers managed to do was clog up our mail server with these meaningless "you have sent us a virus" emails that do nothing but contribute to any damage the does!!
IMHO, the REAL cost of dealing with this virus was bearing the burden of 100,000 stupid auto-generated emails that other servers were sending us, in response to emails that didn't even come from us.

Re:Brain-dead auto-responders...

[billstewart]

This has been discussed a bit on the NANOG list. The ideal place to do the virus scanning would be during the SMTP transmission phase, rather than after the fact, so you could fail the transmission with a "553 go away you virus!" (and maybe a teergrube) instead of accepting the message and sending it to the forged From: line. (It looks like Sendmail milters give you hooks that could be used for this.) That way, if the virus runs its own SMTP, it gets messages that it ignores, and if the virus abuses it's victims' email programs, then they'll get the warning, but the From: won't.

Alternatively, if you're going to do the virus check after the mail's been accepted, it sure would be nice if the virus-checker programs kept track of which viruses usually forge the sender and which don't, so it can skip the bouncegrams on the forged ones.

Dave Farber's been mentioned in the press - his mailing list is very large and gets quoted a lot, so his address is in lots of people's mailboxes and gets forged a lot.