Expert analysis of last week’s avalanche of hate-mail spam shows that a new Trojan Horse, Sober.H, caused it.
Anti-virus and security cognoscente Nick FitzGerald says “it is generally thought a network of machines already compromised by the Sober.G virus (and possibly earlier variants) may have been used to install the Sober.H Trojan which then sent the spam.”
FitzGerald says Sober.G is an email worm that opens a backdoor on infected machines, which can then be used for a variety of remotely exploitable functions.
However, Sober.H is not a worm or a virus, but “simply a spambot Trojan,” FitzGerald adds. All the hate-mail messages are contained in the main executable of Sober.H, which takes specific measures to disable other Sober variants. FitzGerald sayshe likely reason for this was that the author, after having piggy-backed his malware on the others, didn’t want them to compete with Sober.H for bandwidth when mailing out the hate-mail messages.
As for possible counter-measures, FitzGerald sayshat “realistically, this is the kind of case where no matter how quickly or slowly AV companies get updates out, it will make no difference. If Sober.H was only installed on machines already compromised by earlier Sober variants, thenby definition the spam is coming from machines without up-to-date antivirus.”
Echoing the sentiments of Microsoft New Zealand’s platform strategy Brett Roberts, FitzGerald says the owners of such machines “simply don’t care” about protecting their systems – until perhaps they get their monthly ISP bill with a massive excess data charge.
Mail administrators at New Zealand ISPs using the Open Source Spam Assassin filtering application reported that a rule constructed by Orcon’s Craig Whitmore successfully stopped the majority of Sober.H spam.
Read more about Sober.H or Ascetic.A here: