The Bobax worm, which is less than a week old but has already spawned four variants, is one of the first worms to conduct a bandwidth test on its infected host to see if it is worthy of being used as a spam zombie.
Bobax uses a combination of the Windows vulnerabilities exploited by the Sasser worm and the MSBlast worm. Although Bobax is unlikely to spread very far because larger companies have already applied the relevant Microsoft patches, its behaviour shows that virus writers and professional spammers have taken control of more than enough computers to fulfil their requirements -- and are now able to get fussy about which ones to use.
Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, said that although the Bobax worm infects any vulnerable machine, it has a bandwidth testing utility built in, which is used to help the virus authors decide if the infected machine has a fast enough Internet connection to be worthy of recruitment into their army of zombie spam relays.
The virus performs its bandwidth test by instructing the infected computer to download a large file from a public FTP site. Once the virus has collected some bandwidth statistics, it contacts the virus's author so it can be used as required, depending on the spammer's bandwidth requirements.
"The spammers have so many machines to choose from, they have the luxury of picking only the best of the crop -- the machines with the fastest connections and the widest bandwidth," Hyppönen said.
Graham Cluley, senior technology consultant for antivirus firm Sophos, said that being able to pick the fastest computers with the most bandwidth makes a lot of sense for spammers, but this behaviour means that they are spoilt for choice when it comes to machines they can exploit.
"It's fantastic being a spammer because you have this wonderful array of computers all around the world to go and infect -- it's not as though they have to battle over a few thousand computers," Cluley said.
F-Secure's Hyppönen said that although Sasser has already forced many people to update their machines, there is a constant stream of vulnerable computers being connected to the Internet.
"If someone buys a brand new computer today and puts it online, it won't have the patches. The first virus it will be infected by will most probably be Bobax," Hyppönen said.
Talkback
Just a quick comment on fairness and honesty...
Every time I go to the Microsoft Update site for critical downloads my machine gets infected with spyware.
No one can convince me any more that it isn't Microsoft doing it. I use a very good firewall with filter rules in place to stop TCP and other protocols inbound. I should be safe.
So how could hackers be accessing my computer during download sessions unless either Microsoft's servers were still compromised or the latter was complicit in the infecting of clients with data-mining components?
How odd... I have 5 systems here and 10 more to maintain at work, all of which are routinely updated through Microsoft's Windows and Office update sites. None has ever gotten spyware installed from such a visit. A cookie or two, perhaps, but not actual 'call home' spyware.
One problem noted in the article, and a very good point to be driven home: new machines are vulnerable machines. Microsoft and the makers need to work out a better way of getting the needed updates onto machines sitting in boxes and on shelves. Perhaps providing an "addendum" CD to be used right after first-time power-up as part of the package (added by the reseller). But having the built in Win XP firewall active on power up will be some help.
The problem with an addendum CD, apart from it being out of date after a month, is getting it to the smaller shops. Sure online retailers like Dell should be fine as they can just chuck in the latest addendum CD when the computer is shipped. What about the small independant PC shops who buy their PCs through wholesalers? Unless you have a massive operation sending out several copies of the latest addendum CD every computer shop in the country every month you are still going to have the same problem.
Provide the CD image for download to any of the smaller shops. Larger places like Dell will want to customize their builds the but white box mfgrs and resellers using default builds could provide stock CDs.
We build ours to order so we put on all current patches before a machine goes out the door. If we had a shelf life for computers we would download from the MS Catalog site and build our own.
Mike,
It's not the Microsoft site. While you are connected, your machine is wide open. There are some steps you can take. First, you really should look into a hardware firewall. A firewall is included in most home routers, so if you plan on having a second computer in your house, kill two birds with one stone.
If you don't get a hardware firewall, you need to turn off some of the vulnerabilities before you get online.
http://www.lavasoftsupport.com/index.php?showtopic=14537
Zombie computer, i think thats how i would call it, the reason for this is that my Internet Connection works fine during the day, and in the evening beginning from 18.00 the internet connection just dies, send out more than receives. How do i prevent this problem...guys please help me...thanx p.s.my OS windows xp professional