[ISN] ISPs told to help eradicate Sober

InfoSec News isn at c4i.org
Tue Jan 10 01:34:05 EST 2006


http://news.zdnet.co.uk/0,39020330,39246203,00.htm

Tom Espiner
ZDNet UK
January 09, 2006

Infected PCs should be cut off from the Internet by their service
providers, say some; AOL says it prefers to focus on prevention

ISPs were urged on Monday to check their user traffic patterns to
locate and shut down machines infected with the mass-mailing Sober
worm.

Although Sober is no longer trying to replicate, antivirus company
F-Secure believes ISPs must warn infected customers so they can
disinfect themselves.

Infected PCs had been programmed to download new instructions from the
Internet last week, which would have heralded another attack. As
previously reported, this update did not actually appear online, but
infected machines are still trying to download it.

"ISPs: we urge you to check your user traffic patterns. Locate the
users that produce an unlikely large amount of constant hits to
people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and
home.arcor.de. Contact these users and let them know they are likely
to be infected with Sober and they should clean up their act,"  
F-Secure said on its blog.

Computers infected by Sober are likely to contain spyware, or could
have been turned into zombie PCs and used to send spam or launch
denial-of-service attacks. They could also download a Sober update in
the future, sparking another mass-mailing attack.

F-Secure said ISPs should let customers know they have been infected
automatically, and redirect users to sites so they can disinfect their
machines.

"Most affected computers belong to home users, who have no idea
they've been infected. ISPs are in the best position to distinguish
infected users." Mikko Hyppönen, director of antivirus research at
F-Secure, told ZDNet UK.

"Service providers can automatically shut down a user connection, and
specify that to get back online users have to follow certain steps,
for example, by visiting the Microsoft site for the latest updates.  
ISPs can automatically shut down what they want, and can still connect
users to Microsoft," said Hyppönen.

ISPs have an economic motive to overcome reluctance to inform users
that their machines have been compromised, Hyppönen argued.

"It might be hard for ISPs to find the motivation to do it, because
it's a lot of work and a thankless job as no-one wants to hear they
are infected. However, ISPs are losing money because of the huge
amounts of traffic generated by infected machines," Hyppönen said.

But AOL said it would not be contacting users, as it put more emphasis
on prevention of infection through email filtering, and blocking links
to certain Web sites. Users who had been infected had access to McAfee
antivirus services, AOL said.

"We have on occasion made outbound contact with members in specific
situations, such as the Mydoom worm, but have no plans to do so in
this instance as we focus our efforts on prevention," said Jonathan
Lambeth, director of communications for AOL UK.

"Our anti-spam systems, which block more than 1.5 billion spam emails
each day, block a large number of emails containing links to the Sober
virus in the first place. Links are default-disabled on emails within
AOL to prevent casual clicking on rogue links, requiring a more
positive action to click through, although this setting can be
switched off if the user prefers," Lambeth added.





More information about the ISN mailing list