Sober Strikes Again, IE Flaw Dubbed ‘Extremely Critical’

One e-mail worm and one browser flaw have security researchers paying close attention to Internet activities: Sober is back on the loose and Microsoft’s Internet Explorer has yet another “extremely critical” flaw — one that was initially thought to be fairly harmless.

The Federal Bureau of Investigation has issued a warning about a bogus e-mail from hackers attempting to spread the Sober worm.

The e-mail appears to be sent from the FBI, claiming it has collected information proving that the user has visited illegal Web sites. The e-mail then instructs the recipient to answer a list of questions, which requires them to download a file. Once the file is downloaded, it infects the user’s computer with the latest Sober variant.

Dangerous Virus

SophosLabs said its data show the Sober variant is the most prevalent virus spreading across the world. If the attached file is run, the worm scans the user’s hard drive for other e-mail addresses in its search for other computers to infect.

“This variant of the Sober worm may catch out the unwary as they open their e-mail inbox this morning,” said Graham Cluley, senior technology consultant at Sophos. “Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal Web sites and want click on the unsolicited e-mail attachment. All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest anti-virus protection.”

In a statement, the FBI has urged users who receive the viral e-mails to report them to the Internet Crime Complaint Center.

Seasonal Sober?

Ken Dunham, senior engineer at threat intelligence firm iDefense, a VeriSign company based in Reston, Va., told TechNewsWorld that several million copies of the Sober variant have been seeded in the wild. But, he stressed, seeding is different than infecting.

“We’ve seen through this year there have been periods of activity where Sober has really ramped up,” Dunham said. “We saw this back in the spring and now we see in October or November there are relative increases in activities. In this case, there are formerly infected computers used to spam out millions of copies of this fake e-mail.”

Dunham said it is interesting to note that authorities had predicted a new Sober — and they were right. That, he said, is because there is an ongoing investigation by law enforcement that is actively monitoring the perpetrators. But they might not look like we think.

“The average age of the attacker has expanded. It’s not just a bunch of teenagers anymore. It’s up to 30 year olds,” Dunham said. “The profile of the hacker has changed in the age range and capabilities.”

Microsoft Flaw Makes Headlines

In other security news, Secunia has discovered a vulnerability in Internet Explorer versions 5.5 and 6.x that can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to certain objects not being initialized correctly when the “window()” function is used in conjunction with the “” event.

This can be exploited to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded. Successful exploitation requires that a user is tricked into visiting a malicious Web site.

Out of Cycle Patch?

Microsoft was previously made aware that there was a security issue that could cause the browser to crash, but only recently discovered the vulnerability has the potential to execute arbitrary code. Still, Dunham reminds that an exploit requires user interaction to be successful.

“This is one of those out of cycle instances that gets everybody concerned,” Dunham said. “But someone would have to go to a hostile Web site if they were going to be lured into receiving executable code onto their computer.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels