New Sober Trojan Spewing Hate Spam May 16, 2005
By Gregg Keizer
TechWeb News
<snip>
"It's not a worm," said Sam Masiello, the director of threat management for Denver-based MX Logic.
"There's no binary attachment. Machines infected by Sober.p are downloading the code that's necessary to execute this most recent Trojan." PCs compromised by Sober.p were left with an open backdoor, through which the attacker sent the Trojan, Sober.q.
http://www.techweb.com/wire/security/162101079The Trojan then set up the machine as a spam relay, and began spewing a slew of different messages, all of which had a "political edge," said Dominic Wild, an analyst with Sophos' Vancouver, Canada, office.
http://www.techweb.com/encyclopedia/defineterm.jhtml?term=trojan+horse&x=15&y=9&_requestid=182899http://www.techweb.com/encyclopedia/defineterm.jhtml?term=spam+relayThe messages, which can come with either German or English subject headings and text, include links that point to German Web sites, among them the right-wing National Democratic Party (in German, Nationaldemokratische Partei Deutschlands, or NPD), which in the past has called the Allied bombing of Dresden in 1945 "mass murder" and a "Holocaust of bombs."
Political spam, although rare, is not unknown. During the summer of 2004, in fact, a similar one-two punch of Sober.g and Sober.h delivered German political messages. Sober.g, like 2005's Sober.p, was the worm that seeded the ground with a host of compromised machines, which Sober.h, like this week's Sober.q, used as spam spreaders.
<snip>
But while Sober.q might be, as MX Logic's Masiello called it, a "dead end," the network of Sober.p-infected PCs is not. "Authors of Sober.p could possibly elicit remote command-and-control over a large network of infected machines," said Masiello. Like any bot network (or botnet), the collection could be used in the future to deliver more spam or more worms, or as the launch pad for a massive denial-of-service (DoS) attack.
http://www.techweb.com/encyclopedia/defineterm.jhtml?term=botnetMore:
http://www.informationweek.com/story/showArticle.jhtml?articleID=163104159Also:
Sober.Q worm detected - will a new major outbreak follow?Posted on Saturday, May 14 2005 @ 21:52:36 CEST by LSDsmurf
<snip>
This is possible because
Sober.P has built-in functionality to connect to websites to download and update its code. This is dangerous because it opens a wide range of possibilities for the virus author, like launching a major spam campaign or a DDoS attack.The new Sober.Q worm hasn't begun spreading yet, possibly because the author wants to wait until enough computers have been infected by the Sober.Q variant.
Sober.Q includes a German message in which the author refers to some online articles which called him a spammer. He says he is not a spammer, but might turn into one.
Last Monday Sober.P accounted for 40 percent of all virus activity on the internet according to F-Secure, but rival Sophos reports that Sober.P was responsible for 84 percent of all virus traffic on Monday.
More:
http://www.dvhardware.net/article4946.htmlAlso:
Update: Sober.Q became active on Sunday morning.
Sober.Q worm starts mass spammingPosted on Sunday, May 15 2005 @ 12:19:50 CEST by LSDsmurf
Yesterday we reported computers infected with Sober.P were updating to Sober.Q, this is possible because the Sober.P worm can connect to websites to download new code and execute it. The original Sober.P worm was quite active on the internet until Tuesday, it tricked users into believing they had won a ticket to the 2006 World Cup in Germany but other variants were also spreading on the web.
But suddenly on Tuesday the worm stopped spreading, security experts were amazed but they soon discovered that the worm was 'upgrading' itself on infected systems to Sober.Q. On Saturday Sober.Q wasn't active yet but today anti-virus firm Kaspersky reports Sober.Q has become active. The worm doesn't spread itself but sends out huge loads of spam messages that link to right winged articles.
I have received quite a few of these Sober.Q e-mails myself. They are either in German or English and they ask the recipient to follow a link to read an article on a website. Up till now computers infected with Sober.Q solely spread these spam messages, they do not spread the worm (yet).
One of the e-mails I received was about the Dresden bombing at the end of the second World War and linked to Spiegel.de. Most linked articles appear to be political and quite right-wing. In a way we're seeing the same story as with Sober.G a year ago. Sober.G downloaded Sober.H and Sober.H in turn sent out enormous amounts of racist spam in June 2004.
Last year the Netherlands were completely flooded by e-mails generated by Sober.H, judging from the numbers that Sober.P generated just before it stopped spreading it probably won't be that much different this time.
More:
http://www.dvhardware.net/article4950.htmlAlso:
Wednesday 18th May 2005 11:26AM
Sober worm mutates to spread neo-Nazi propaganda
German neo-Nazis have begun sending spam emails to entice the unsuspecting to racist websites.Over the weekend a version of the Sober worm (Sober.Q) dispatched emails to millions of computer users - the quantity has been described as 'staggering' - with subject lines, in German, such as 'Multicultural = multicriminal'. The emails contain links to German-language sites.
<snip>
"Some users have reported mini Denial of Service attacks due to the German spam involving the email based text messaging on cell phone and blackberry devices. Others have seen large amounts of bounced email as the virus forges the from address of email it sends out,' he added on the ISC website.<snip>
The attacks coincide with the 60th anniversary of the end of the Second World War and with elections in Germany. UK anti-racism magazine Searchlight notes that more than 7,000 members of the far-right NPD recently marched in Dresden to 'commemorate' the bombing of the city in 1945. Searchlight said the march 'bore a stunning and shocking resemblance to a parade by the brown-shirted SA
before 1933'.
More:
http://www.pcpro.co.uk/news/72954/sober-worm-mutates-to-spread-neonazi-propaganda.html
See related thread:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=102&topic_id=1479004#1481311
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
