Friday, August 1, 2003

How the SoBig.F virus works

Remember that the "From" address on all the SoBig.F messages is actually an address taken from the worm's target list. Many mail anti-virus products are configured to bounce any worm laden messages they get back to the sender, in this case, the spoofed address. Even worse, some of these bounces include the original attachment. The anti-virus software can actually end up sending the worm to users who hadn't yet received it, further propagating SoBig.F. This is the equivalent of a DDoS attack (Distributed Denial of Service), where servers you have never communicated with are sending you hundreds of bounced email messages.

Third wave: angry accusations

The last consequence of SoBig that you should be on guard for is the angry responses you will inevitably get from people you may never have heard of. This goes back to the spoofed "From" address SoBig uses. SoBig recipients that have either been infected or had a virus scanner warn them a message from you contained a virus (when you never really sent it), will start complaining. Be prepared and be polite. Inform your users that they may get angry messages of this nature. Refer the authors of these complaints to resources explaining the nature of SoBig.F (for example and explain that while the message may appear to have come from one of your users, it in fact did not.

The SoBig.F worm is programmed to stop replicating itself as of September 10, 2003. Similar auto-deactivation features were found in previous versions of SoBig and this probably means that we can expect most of the damage from SoBig to be over as of that date, but the next variation may be even worse.

Daniel Koffler is an R6 CLP and works as a Domino consultant for major organizations in North America and Europe, specializing in network design, security analysis and knowledge management, he is also the author of several OpenSource projects. Daniel can be reached at