HomeAnalyst Training
Malware History: Sobig
HomeAnalyst Training
Malware History: Sobig

Sobig, sometimes called Reteras, Palyh, and Mankx was a computer worm — a malicious program that can copy itself to propagate to new machines. Sobig is one of the most devastating malicious programs in existence. Reportedly, it caused damages worth over 35 billion US dollars.

First surfacing in 2003, Sobig instantly smashed distribution speed records at the time. The malware was one of the first to use a botnet, at least during a real-world malicious campaign. Turning infected machines into sources of infected emails allowed the worm to spread at a speed that the security companies just weren’t ready for. 

As a result, data collected in 2018 indicates Sobig to be the second-largest malware of its type by the sheer volume of distribution. The only worm beating it is MyDoom.

What is the Sobig Worm? 

Sobig was first recorded in the wild in January 2003. At the time, it was known as the Sobig.A variant. Months later, threat actors released new variants one by one, known as Sobig.B, Sobig.C Sobig.D, Sobig.E, and Sobig.F. The last version became the most devastating one.

An interesting thing about Sobig is that it is not just a worm — it’s also a Trojan. Sobig arrives to victims in emails that have subject lines ranging from receipt details to a supposed friend email about a movie. Inside would be a .pif document with an according to name. The actual text of the email would usually read “See the attached file for details” — not the most sophisticated phishing attempt, but one that evidently worked more than well enough. 

After all, people weren’t used to widespread email spam campaigns at all in 2003.

Despite so many variants, most that released before the Sobig.F version didn’t cause that much harm. They would distribute to hardcoded email addresses and were equipped with a stopping mechanism — a timer that decapitated when the worm would stop looking for new addresses and stop spreading. 

On top of that, 2003 was a popular year for worms — a lot of these programs surfaced at that time and supposedly low-risk Sobig was even called “a nuisance” by one security company. 

All of that changed when the F variant came about. 

This time, the worm learned to scan hard drives of machines that it infected for email addresses. It could scan various types of files, which made it quite successful. This behavior allowed Sobig to send itself to the contacts of the victim and drastically increased its infection rate.

Interestingly, Sobig.F had a serious fault that didn’t allow the worm to propagate through local networks. But this handicap didn’t stop Sobig from becoming the fastest spreading worm of its time.

The aftermath of the attack was nothing short of disastrous. Among other victims, BBC machines were infected and Sobig gained access to a large email list of contacts. In particular to a database of a radio show fans called  “Archers”. Quite humorously,  around the same time, the show released an episode where one of the characters was teaching how to use email. 

On top of that, Sobig caused Air Canada to temporarily suspend flights and slowed down computer traffic. At one point, experts believe that Sobig executable was carried in one of every 17 emails. One security company studied over 40 million emails and found Sobig in at least 50% of them.

The worm was spreading so fast that one person claimed to have received a little over one hundred emails in just one day and allegedly recorded a period when an infected email would arrive every 6 minutes.

Sobig malware Technical Details

Sobig first enters the machine of the victim as a malicious .pif file. Once the execution starts, the worm makes a copy of itself. Then, the malware creates a mutex to ensure that the machine is not already infected with another Sobig sample. After this, Sobig proceeds to create registry keys so that it can run when the system boots.

After this, Sobig sends a message to a hardcoded email address. The message reads “hello” and it’s presumably used by the attacker to count the number of infections.

At this point, the main malicious activity begins. Sobig propagates to all machines connected to the local network as well as to the roots of several hard drives on the initially infected PC. Then, it starts searching for possible email contacts in various file-types. Once this process is complete, the worm sends a copy of itself to every contact found on the infected device.

Sobig authors

As of now, we still don’t know who could have been the person behind the Sobig attacks. Microsoft has announced that they would pay a reward of 250,000 USD to anybody for information leading to the arrest of a responsible party. Despite the money on offer, nobody could track down the attacker.

Some theories connect Sobig with Ruslan Ibragimov, a Russian citizen from Moscow, who is known as the creator of a spamming software called Send-Safe. The theory points to some similarities in code and suggests that Ruslan and a group of developers worked on Sobig together. However, Ibragimov himself has denied these accusations and was never linked to the worm conclusively.

Conclusion

There is a lesson to be learned from the Sobig incident. If the “Archers” show listeners would have paid attention to the instructions on how to use email, maybe the attack wouldn’t have been as bad as it was. 

Email spam is still among the top initial attack vectors. And if criminals are still using it, that can mean only one thing — it’s still working well for them. That means that people all around the world are opening infected emails and falling victim to phishing. In fact, somebody could be putting themselves in danger in your company right now.

That’s why it’s always a top priority to educate people about email best practices and exhibiting caution. It’s just like real-world pandemics — they are still happening because there are people who don’t exercise necessary precautions. 

But, of course, you can’t just stop using email and opening attachments. Unfortunately, malware, as well as phishing, are getting more and more sophisticated. This means that infected emails will get into your network, no matter how careful you are. Some won’t even look suspicious at first glance.

Thankfully, you can use ANY.RUN to quickly and efficiently analyze emails. ANY.RUN is an online malware analysis service. It allows researchers to upload emails and run tasks with a variety of configurable parameters. Scanning an email only takes a few minutes, but it will keep you and the whole network safe! 

Spread the word about the danger of email spam and stay safe online!

What do you think about this post?

2 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments