Out-Law News | 17 May 2005 | 2:43 pm | 1 min. read
The spam attack, first detected on Saturday, is continuing.
"This latest attack by the Sober author is comparatively sophisticated and has obviously been well planned," said Stephen White, Head of Anti-Spam Technical Operations within security firm MessageLabs.
"It appears that previously unexploited networks of machines infected with earlier incarnations [Sober P, aka N,O,S,Q,V] of the Sober worm have been remotely commanded to download this latest variant – Sober Q – in order to spam out huge volumes, while at the same time circumventing spam filters for as long as possible."
Sober P hit the headlines earlier this month, when the mass mailing worm proved to be very successful in luring victims to open its attachments.
Some of the messages were sent in English, referring to passwords, mailing errors and registration confirmations, but others were written in German and offered tickets to the World Cup – an offer that many found too attractive to resist.
Once installed in a machine, the worm simply mailed itself to addresses harvested from the hard drive. However, the worm has now shown itself to have another purpose, allowing hackers to set up a bot network – a network of infected computers that can be remotely exploited to forward junk e-mail and viruses without the knowledge of the PC user.
According to MessageLabs, the spam attack e-mails, which are mostly in German, use approximately 72 varying subject lines. Each e-mail contains a single URL directing recipients to a range of legitimate on-line articles in reputable German newspapers and magazines promoting political messages with right-wing tendencies. Others have also been found to contain URLs that link to articles on previous Sober outbreaks.
"Almost all of the spam e-mails have been sent from otherwise clean IP addresses and will have gone largely undetected by spam filters not deploying proactive detection techniques for unknown sources of spam," explained Stephen White.
The subject of the messages marks a twist in the evolution of spam, which until now has been used to advertise such things as porn, get-rich-quick schemes and pharmaceuticals. Propaganda spam, as in this campaign, is a relatively new phenomenon.
According to reports, the timing of the attack may be related to regional elections that are due to take place in Northrhine Westfalia on 22nd May. It may also be influenced by the recent celebrations to mark the 60th anniversary of the ending of the Second World War.