YOU ARE HERE: LAT HomeCollections


Infected PCs Await Orders From Hacker

August 22, 2003|Joseph Menn and David Streitfeld | Times Staff Writers

One of the fastest-spreading e-mail viruses ever is threatening to discombobulate computers around the world today, when hundreds of thousands of infected PCs could be commandeered to send spam, delete data or inflict other unpleasantness.

The virus, dubbed SoBig.F, has programmed the computers it has infected to automatically download potentially malicious instructions from a machine thought to be controlled by the person who wrote the virus, computer security experts said.

So far, SoBig has done little if any permanent damage. But it has caused plenty of aggravation by filling e-mail in-boxes and clogging networks, even at companies whose employees know better than to open e-mail attachments they didn't request. SoBig spreads through attachments, just as the Melissa and ILoveYou viruses did in the past. It is the third widespread infection of computer networks this month.

Unlike its predecessors, SoBig has become more sophisticated in successive versions since its discovery in January. It is one of the first to install a "back door" to allow additional manipulation by hackers.

"Traditionally, viruses only propagated copies of themselves," said John R. Levine, author of "The Internet for Dummies." "It's a fairly recent development -- over the past few months -- that we're seeing viruses that leave a trap door so bad guys can come in later and install more hostile software."

Computer security experts scrambled Thursday to analyze SoBig so they could stop the hacker's designated server computer from giving new instructions to infected personal computers. The PCs are scheduled to rendezvous with the server at noon today, Pacific time. Another contact is supposed to take place Sunday.

By analyzing the virus, the experts know the server's numeric Internet address but not its physical location or the identity of its owner. As a result, it was not clear whether law enforcement officials would be able to tap into or interfere with the communication between infected PCs and the server computer. A spokesman for the Department of Homeland Security said only that officials were monitoring the spread of the virus.

SoBig -- presumably named for the effect it was designed to have on computer networks -- is triggered when a user tries to open the attachment, allowing the program to write itself into the start-up sequence of a machine running one of many editions of Microsoft Corp.'s Windows operating system.

The virus seeks out e-mail addresses stored on the PC and selects some of them to be its next targets. The virus also picks out addresses to use as fake return addresses. That way, when messages are undeliverable, they bounce back to innocent parties and clog up their in-boxes too.

Just one infection at a big company can prompt thousands of outgoing messages, only one of which must be opened for the infection rate to hold steady. SoBig ranks among the fastest-spreading viruses to date, though previous viruses have infected far more computers.

Internet users were flooded this week with infected e-mails generated by SoBig. EarthLink Inc., one of the biggest providers of residential Internet access, said Thursday that it was deleting hundreds of infected messages a second.

The attack arrived as companies were struggling to contain the effects of earlier viruses and worms. CSX Corp., the railroad giant, said the Blaster worm infected its signaling and dispatching systems early Wednesday morning. All of CSX's rail service was halted for two hours, and morning commuter service in Washington was canceled.

Freight customers were still experiencing delays Thursday night, CSX spokesman Adam Hollingsworth said. "We're having to use manual processes instead of automated ones," he said.

Yet another virus, Nachi, hit Air Canada this week, forcing ticket-counter agents to check in clients manually.

In general, security firms said big companies, because they tend to have firewalls and up-to-date anti-virus software, were better equipped than small firms and consumers to handle viruses like SoBig.

Computer experts spent Thursday debating what the SoBig author's next instructions are likely to be. One leading theory is that the update will turn infected machines into generators of unwanted commercial e-mail, known as spam.

"It's almost like someone breaking into your home and then using your phone to do telemarketing," said Ian Hameroff, chief security strategist for Computer Associates International Inc., one of the world's biggest software companies.

Other possibilities are that the virus will turn destructive, wiping out data stored on compromised PCs. It also could launch a so-called denial-of-service attack on major Web sites, overwhelming them with meaningless requests for information.

"At any given point, [the author] can update the virus and make it more destructive," said Joe Hartmann, a research executive at computer security firm Trend Micro Inc.

Los Angeles Times Articles