Security threats Toolkit

Don't fear the Sober, just prepare for it

Tags:
Sober

Tom Espiner ZDNet.co.uk

Published: 12 Dec 2005 13:25 GMT

Security administrators need not worry about the effects of the predicted Sober attack on 5 January, as long as they take precautions and strip infections from their systems, security experts said on Friday.

The impact of the upcoming attack can be mitigated by rooting out the problem at source, according to McAfee.

Because a machine needs to be already infected with a variant of the virus for the update to take effect, machines can be prevented from downloading the updated virus by having the current version removed before 5 January.

"For an attack to proceed, a machine needs to be infected with existing variants. Administrators can scan and clean machines and remove Sober before 5 January. The effects can be mitigated by updating antivirus software, and scanning for normal versions of the variant," said Greg Day, security analyst at McAfee. "Best case scenario, the impact will be small," he said.

McAfee said that administrators had a relatively large time frame in which to scan machines. "We have quite a large time frame to deal with the existing part of the problem — administrators have nearly a month to update their systems."

However, McAfee warned that systems professionals should not underestimate the scale of the problem, and should be aware of the potential strain on their mail servers when the virus update is released.

"The worst case scenario is that machines aren't checked, and they pull down code that is executed on the machines. If machines are infected on your network they're going to be pulling the attack from the outside in," said Day. "Organisations may suffer some instances from outside the business."

Finnish antivirus company F-Secure also underlined the scale of the problem.

"Sober.Y was the biggest email outbreak of the year. It is still responsible for around 40 percent of all the infections we see," said the company in a blog posting.

Security research company iDefense warned of increased strain on mail servers as traffic increases due to compromised machines trying to mail out the virus update.

"Even the latest set of attacks had a reported effect on email servers. As widespread as this worm has become, the outbreak could have an even greater impact on network traffic around the globe," said Jason Greenwood, senior product marketing manager, iDefense.

Once the network has been scanned and cleaned if necessary, iDefense recommended filtering mail to lessen the impact of predicted attack.

"Filtering email at the border gateway, especially if several antivirus engines can be used concurrently is a great way to minimise the number of samples that can enter the enterprise. This method has been extremely effective until now. Also stripping most known malicious attachments from emails will ensure that no sample can make it beyond the network perimeter."

McAfee said security vendors and professionals should be able to take the upcoming attack in their stride.

"We've seen so many Sober variants, it's like any other day. This has a broader visibility date, but it's not a new scary problem. We're very effective at dealing with it," said Day.