(The following article by Jason Gertzen was posted on the Milwaukee Journal Sentinel website on August 21.)
MILWAUKEE, Wisc. — Malignant computer viruses halted CSX Transportation trains and slammed corporate and government e-mail networks across the country Wednesday as security experts scrambled to respond to the second major cyber attack in as many weeks.
CSX stopped its passenger and freight trains, including morning commuter service in the metropolitan Washington, D.C., area, after an unidentified computer virus overwhelmed its telecommunications network.
The University of Wisconsin-Madison reported serious problems after an e-mail virus infected more than 2,000 computers and generated millions of system-slowing messages.
The most prevalent computer virus, known as Sobig.F or Sobig, was called the fastest-growing virus ever by MessageLabs Inc., a New York-based e-mail security and filtering company.
Tuesday “marked an unprecedented new level in virus propagation and demonstrated the growing ability of virus writers to disrupt business around the globe,” Mark Sunner, chief technology officer at MessageLabs, said in a statement.
The Sobig virus slipped through the defenses at the UW-Madison computer system even though the campus’ information technology team added updated filtering software about as soon as it was available, said Annie Stunden, chief information officer.
“It came in so rapidly,” Stunden said. “E-mail in-boxes were a mess. E-mail slowed down.”
Sobig moves through computer networks on e-mail messages in search of vulnerable PCs running the Microsoft Corp. Windows operating system. An infected PC becomes a relayer of more Sobig e-mails, creating the potential for exponential propagation over the Internet. It arrives with one of at least nine possible subject lines, including “Thank You!,” “Re: Approved,” and “Re: Wicked screensaver.”
Just last week, PCs nationwide were crippled by a computer attack by the Blaster worm, a variant of a computer virus that forced Windows-based PCs to repeatedly shut down. Blaster was considered the worst cyber assault to date, but Sobig was on track Wednesday to do even more damage.
The new files needed to block the latest Sobig virus were available at 7:30 a.m. Tuesday and were installed quickly at UW-Madison, Stunden said. Sobig attacked the campus at least two hours earlier. The damage had been done.
E-mail traffic on the 60,000 computers at the Madison campus totals about 1 million messages on a typical day. The worm caused a surge of more than 10 million Wednesday.
“We were removing 30,000 bad e-mails an hour,” said Jeff Savoy, an information security officer.
The Milwaukee Journal Sentinel was among the corporations victimized by the virus.
E-mail’s ‘From’ line faked
Sobig disguises the true sender of the e-mail. The “From” line on the e-mail is faked in a way that can make it appear as if the e-mail were sent from someone the recipient knows.
When the computer program contained in the e-mail is activated, it harvests e-mail addresses from an infected machine and spreads itself by e-mailing itself to those victims. Some security experts determined that Sobig also made computers vulnerable to additional attacks and attempted to download files from the Internet.
Variations of the Sobig virus have been around since at least January. The latest version is more powerful, however, because it is sending many messages to each address listed in a computerized list of contacts, said Jimmy Kuo, a computer security expert with Network Associates Inc. in Los Angeles.
“We are getting deluged with this virus,” Kuo said.
The virus did not appear to be destroying data or causing other lasting harm to the machines and networks it infected.
The severity of the hassle-factor it unleashed, however, should not be dismissed.
“The damage is going to be much more in terms of lost productivity,” Kuo said. “When you have to stare at a mailbox and go, ‘Wow. There are so many virus e-mails, and I have to delete them all.’ ”
Many corporations had layers of defenses that allowed them to block or limit infections. At least three times as many home computer users as businesses were infected, Kuo said.
“It is because home users do not have a good filtering mechanism,” he said.
Infection hard to fight
The fact that the virus was able to so readily use fake, or spoofed, sender addresses made it more difficult to fight the infection.
When people receive e-mail infected with other viruses, they can notify the sender or the sender’s company of the problem.
“With a forged address, the wrong person is being notified of such things,” Kuo said. “The person who is being infected is never notified.”
Even companies that were protected by anti-virus software felt the pain of the Sobig attack. The programs deleted the virus attachment, but the e-mails still clogged in-boxes.
“It is a nasty kind of thing,” said Don Muehlbauer, chief executive officer of techWorks, a Wauwatosa computer services firm. “There is not much you can do about it. The anti-virus software is picking it up, but it still generates all the e-mails.”
The virus at least doubled the volume of e-mail coming to his company’s system.
“It definitely is putting a big load on the servers,” Muehlbauer said.
This latest attack comes after a recent flurry of other viruses and worms that have left harried computer network administrators across the country. Last week the Blaster virus spread rapidly. Even before Sobig arrived, computer technicians were troubled by another worm called Welchia or Nachi.
“One after another, after another,” Kuo said. “If another comes in the next few days, it is going to be a very stressful job.”
Defense teams challenged
The software teams constantly scanning e-mail systems for new viruses so they can create defenses also are going to be increasingly challenged.
“The bad guys are getting smarter,” said Marty Lindner, a computer security expert at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
The latest Sobig variation has been designed to make it more difficult for anti-virus software to detect it. It also is among a new class of viruses that seem to spread more rapidly than older versions.
The events of the past couple weeks are sure to tighten the security practices of many computer users.
“There are companies that were hit by Blaster that very clearly are going to change the way they do business now,” Lindner said. “They have lost money.”