Instapundit » Blog Archive » I DON’T KNOW HOW ACCURATE IT IS, but here’s a warning that SoBig’s latest version will be worse. It…

September 8, 2003

I DON’T KNOW HOW ACCURATE IT IS, but here’s a warning that SoBig’s latest version will be worse. It’s a bit alarmist, and I don’t know much about the site where it appears, but it’s largely consistent with this:

The “F” in the latest Sobig worm’s name indicates that it is the sixth version of the virus since Sobig.A appeared in January, and its creator is refining it with each new version. Sobig.F is set to expire Sept. 10, and security experts say they expect a Sobig.G to show up soon thereafter.

“The author seems to be experimenting,” Sunner said. “He’s introducing the worm on different days of the week, seeding the virus in different locations. He’s looking for the ideal conditions for release.” . . .

“A superworm is definitely possible,” said Joe Stewart, senior security researcher at Lurhq Corp., a computer-security company. “Unfortunately, it’s not even necessary right now. With the current level of user education out there, it’s just as easy to write something pretty dumb that still works great.”

Just freaking great.

UPDATE: A reader says that this is “utter nonsense,” but offers no details. Hope he’s right.

ANOTHER UPDATE: Reader Patrick McKenzie emails:

A couple of points :

a) The likelihood that there is one SoBig author approaches zero. Internet viruses are usually copycat affairs that link unique payloads (which are easy to write) to infection vectors (which are harder — that is why everyone bandwagons on to the hot exploit of the minute).

b) The threat of a new and improved SoBig is less than that of a new exploit tied to a nasty payload. SoBig had two really nice features from the security point of view — it hit almost everyone and did almost no permanent damage. This means that the majority of machines have been patched to avoid the buffer overrun that enabled the bug. My university immunized over 8,000 computers, for example.

c) The “wormnet” idea is beyond fantastic. For starters, any worm with a sufficiently robust protocol for communicating with itself would, umm, have a protocol for communicating with itself. Every corporate firewall and ISP would key in on the sequence in a matter of hours and shut it down. “Random viral mutations” are a sci-fi idea that have NEVER been used to effectively keep a worm from having a fixed character sequence to search against — its impossible to write code to reliably disguise the signature of the polymorphing code itself. This behavior is also nigh-upon unknown in legitimate software, which means that writing a polymorphic worm is a big “hit me! I’m over here!” sign to virus scanners.

So, in short, your less verbose reader earlier was completely right.

Thanks.

InstaPundit is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.