As you have all read by now the Sober worm I have written about has mutated to a new variant. Before I wrote about Worm.Sober.P, and antivirus companies have dubbed this new version Worm.Sober.Q. Very creative. The new version actually behaves in a very different way, and I would like to do a quick comparison of the two.

When Worm.Sober.P infected a computer it would attempt to mail itself out. It would harvest addresses on the infected host to send itself to. It did not simply send itself to every address it found on the infected machine, but if it found it would actually send emails to a list of random addresses @acme.com. This is what I saw in the logs I went through during our Sober.P flood last week. Our spam firewall is configured to look up any RCPT TO addresses in Active Directory via an LDAP query, and if the address does not exist the email is dropped before the DATA command is even issued. This keeps our spam filter busy, but it means our internal mail server never sees any of those messages.

According to the SANS ISC machines infected with Worm.Sober.P downloaded new capability at some point and is now mutated into what antivirus companies are dubbing Worm.Sober.Q. Sober.Q will use the same random attack on domains it finds on infected hosts, but it does not send itself to those addresses. Instead it is sending German language politicial propaganda. In strongly ruge you to visit that SANS ISC link because it includes some regex you can add to your spam filters that support regex. This will make sure that even if the emails are going to valid users in your organization they are still being blocked.

Now for the personal part of the story you aren't reading on wired.com or eweek.com or wherever else. Last time I posted about the staggering flood of Sober.P emails I was receiving. Well, prepare to have your mind boggled. Again, our normal daily email traffic is as follows. We usually receive 2900 emails a day and only 1000 of those are valid emails. Over the course of the past 15 days in which Sober.P has been making waves we received 86,219 emails and only 14,037 of those made it through to our internal mail server. So when you account for the weekends we are seeing roughly 6000 emails per day and 1000 of those make it through to our internal mail server. The high water mark of Sober.P saw 21,812 emails hit our spam filter.

Yesterday we were literally blown out of the water by 165,000 incoming emails. Nearly 160,000 of them arrived between 11am and 1pm, and there was so much traffic we actually noticed a slow down in internet connectivity with points where the line dropped completely for a second. Given that we saw attacks surge during the same time periods on subsequent days with Sober.P I will be busy over the course of the next hour trying to determine which IP addresses to blacklist completely on the firewall. This way we can reject the connections before they even get started instead of waiting for for our spam filter to reject them. If I can get a good list together I may also see if our ISP can block the hosts on their end from ever getting traffic onto our T1.

I suggest everyone else get busy with those regex, man the logs, and prepare for a repeat of yesterday. I'd hate to think tomorrow I'll be writing a follow-up in which our 165,000 emails seems like a drop in the bucket. The fact of the matter is that I've already seen 4000 emails come in and it's 10am. We are also seeing roughly the same hourly traffic that came through yesterday throughout the morning. Stay safe out there people.