Security threats Toolkit

ISPs told to help eradicate Sober

Tags:
Sober

Tom Espiner ZDNet.co.uk

Published: 09 Jan 2006 14:40 GMT

ISPs were urged on Monday to check their user traffic patterns to locate and shut down machines infected with the mass-mailing Sober worm.

Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must warn infected customers so they can disinfect themselves.

Infected PCs had been programmed to download new instructions from the Internet last week, which would have heralded another attack. As previously reported, this update did not actually appear online, but infected machines are still trying to download it.

"ISPs: we urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they are likely to be infected with Sober and they should clean up their act," F-Secure said on its blog.

Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial-of-service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack.

F-Secure said ISPs should let customers know they have been infected automatically, and redirect users to sites so they can disinfect their machines.

"Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users." Mikko Hyppönen, director of antivirus research at F-Secure, told ZDNet UK.

"Service providers can automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want, and can still connect users to Microsoft," said Hyppönen.

ISPs have an economic motive to overcome reluctance to inform users that their machines have been compromised, Hyppönen argued.

"It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no-one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines," Hyppönen said.

But AOL UK said it would not be contacting users, as it put more emphasis on prevention of infection through email filtering, and blocking links to certain Web sites. Users who had been infected had access to McAfee antivirus services, AOL UK said.

"We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention," said Jonathan Lambeth, director of communications for AOL UK.

"Our anti-spam systems, which block more than 1.5 billion spam emails each day, block a large number of emails containing links to the Sober virus in the first place. Links are default-disabled on emails within AOL to prevent casual clicking on rogue links, requiring a more positive action to click through, although this setting can be switched off if the user prefers," Lambeth added.