NYTimes.com Article: Experts Attempt to Isolate Malicious Computer Program

khare at alumni.caltech.edu khare at alumni.caltech.edu
Fri Aug 22 21:55:08 PDT 2003

This article from NYTimes.com 
has been sent to you by khare at alumni.caltech.edu.

SMTP must die. Long live TP!

khare at alumni.caltech.edu

/-------------------- advertisement -----------------------\

Explore more of Starbucks at Starbucks.com.

Experts Attempt to Isolate Malicious Computer Program

August 22, 2003


Computer experts scrambled today to track down and isolate
20 computers around the world that had been infected with a
malicious computer program having the potential, the
experts feared, to cripple an untold number of computers
connected to the Internet worldwide. 

The program had been remotely installed in the 20 computers
by one or more hackers who also launched the latest
iteration of a familiar and fast-spreading computer virus,
Sobig.F, that appeared earlier this week and wrought havoc
with many corporate PC's and business systems on the

Sobig.F has swamped the Internet with hundreds of millions
of e-mail messages carrying an attachment that if opened
instructs an infected computer to communicate with the 20
master computers planted with the mystery program. 

The first rendezvous was scheduled for 3 p.m. Eastern time
today, with follow-up communications on Sunday between 3
p.m. and 6 p.m., and on succeeding Fridays and Sundays
until Sept. 10, when the program is scheduled to vanish. 

But computer security experts, in collaboration with
Internet service providers and law enforcement agencies
around the world, were able to find the 20 computers and
take at least 17 of them offline by 3 p.m. today. 

One expert, Jimmy Kuo, a research fellow of Network
Associates Inc., an Internet security company, said all 20
computers had been taken offline. But Symantec Security
Response, another Internet security firm, said three had
remained online and simply redirected investigators'
computers to a pornographic Web site. It is not known
whether the other 17 would have performed similarly. 

Throughout the day, experts had feared a range of
possibilities offered by the short-circuited instructions,
from something relatively benign, like directing traffic to
an advertiser's Web site, to something potentially
catastrophic, like instructing Sobig.F-infected machines to
begin erasing their hard drives or launching new Internet

``The people who are in charge have side-stepped another
attack or the potential for bad things to happen,'' Mr. Kuo
said of the efforts of computer security experts in
combating Sobig. 

The 20 master computers are located in the United States,
Canada and Korea, Mr. Kuo said. The computers are most
likely home PC's whose owners had no idea that their
systems had been commandeered, experts said. 

``I highly doubt the author of the virus owns these
machines,'' said Johannes Ullrich, chief technology officer
of SANS Internet Storm Center, a division of the SANS
Institute, a company based in Bethesda, Md., that monitors
malicious Internet traffic. 

According to Mr. Kuo, the master computers were identified
by security experts who were able to decode the virus and
identify the Internet addresses that the infected computers
were supposed to communicate with at 3 p.m. today. 

Several computer security sources said most or all of those
addresses were then probably removed from the network by
the Internet companies that provide service to those
addresses. In addition, said Mr. Kuo, the large
telecommunications companies that provide the systemic
backbone for the Internet could have interceded and blocked
all communication to those specific Internet addresses. 

It seems that system administrators had little time to
spare. According to Mr. Kuo, as of about 11:30 a.m. Eastern
time, only three and a half hours from Sobig's programmed
attack time, at least five of the master computers were
still connected to the Internet. 

Vincent Weafer, senior director of Symantec Security
Response, a team within Symantec Corp., an Internet
security company based in Cupertino, Calif., said that when
computer security technicians pretended to be an infected
machine and sent messages to the master computers, they
found that one of the few master computers that was still
on line was redirecting them to a pornography Web site. 

The experts' greatest fear was that the master computers
would instruct the infected computers to install a Trojan
horse backdoor program in themselves. A Trojan horse
backdoor allows a hacker to slip into an infected computer
undetected and commandeer the machine. ``It's the
equivalent of standing in front of the computer,'' Mr.
Weafer said. ``At that point, the sky's the limit in terms
of the damage that's been done.'' 

Using Trojan horse backdoors, hackers could use infected
machines to store illegal files, like child pornography, or
make them function as a relay point for networks sending
out ``spam,'' meaning unwanted e-mail messages hawking
various products and services. 

While a broad cyberdisaster appeared to have been averted
today, computer security experts said computer users were
not yet out of the woods. Infected computers will still be
trying to connect to the master computers, they said, and
will deluge the Internet with viral spam. 

``We're still going to have millions of messages that the
virus generates,'' Mr. Kuo said, adding that America Online
has been blocking some 11 million Sobig e-mail messages a

Infection by the Sobig virus can only occur if a recipient
of an e-mail message containing the virus opens, or
double-clicks, the attachment, which has appeared under
various guises with subject lines like ``Re: Thank You!,''
``Re: Details'' or ``Re: Wicked screensaver,'' among

``The No.1 thing is, don't click on these attachments,''
Mr. Ullrich said. 

To guard against infection, recipients should delete e-mail
messages containing suspicious attachments. The virus
program is blocked by updated versions of most antivirus
utility programs. 

Several Internet security sites are offering free software
tools and step-by-step instructions on identifying and
cleaning an infected computer. 

Like many other mass-mailed viruses, Sobig comes with its
own e-mail program that prowls a victim's address book,
stored Web pages and other files, plucking e-mail
addresses. Using its own e-mail engine rather than a
victim's e-mail software, the program then sends itself to
the newfound addresses via file-share programs or the
Internet, but disguises its provenance by substituting the
real sender's address with an address it has found on the
victim's machine. 

Computer security experts said today that Sobig could be
the largest virus yet in terms of the amount of e-mail it
has generated. Other viruses have spread more quickly or
have done more damage to systems and hardware, they said. 

Sobig is the latest generation of a mass-mailing viral
program that system administrators and virus experts have
seen before. The current version reappeared earlier this
week even as computer users and system administrators were
still trying to eradicate the Blaster worm, which began its
rampage through the world's computer networks earlier this

Computer security experts said Blaster and Sobig were not
related. Sobig, Mr. Ullrich said, is ``just another pain in
the neck for system administrators to deal with.'' 



Get Home Delivery of The New York Times Newspaper. Imagine
reading The New York Times any time & anywhere you like!
Leisurely catch up on events & expand your horizons. Enjoy
now for 50% off Home Delivery! Click here:


For information on advertising in e-mail newsletters 
or other creative advertising opportunities with The 
New York Times on the Web, please contact
onlinesales at nytimes.com or visit our online media 
kit at http://www.nytimes.com/adinfo

For general information about NYTimes.com, write to 
help at nytimes.com.  

Copyright 2003 The New York Times Company

More information about the FoRK mailing list