Security experts are warning of a possible attack or mass action by machines infected with the Sobig.F worm scheduled to begin at 7pm tonight.
Code, buried deep in the Sobig.F worm, will cause afflicted Microsoft Windows machines worldwide to simultaneously connect to an as-yet-unknown webpage and download a software program, according to Finish security company F-Secure. A number of atomic clocks worldwide are being used to synchronise activities and coordinate the mass action, the company said.
Researchers at F-Secure who have analysed the Sobig.F worm code say the instructions are similar to those found in previous editions of the Sobig virus.
F-Secure researchers cracked an encrypted list of 20 internet protocol addresses that PCs infected by Sobig.F will attempt to connect to, trying each in order until a successful connection is made.
Those IP addresses belong to Sobig-infected machines outfitted by the Sobig.F authors with instructions to receive requests from other Sobig.F machines and to respond with the location of a file that those machines should download and run, Secure?s head of antivirus, Mikko Hypp"nen, said.
"These are probably easy-to-crack machines from around the world where the user has no idea that the machine is infected and is being used in the attack," he said.
Currently, the 20 Sobig.F server machines contain instructions to download a non-existent file on the www.sex.com domain, but the person or people behind Sobig.F will probably wait until the last second before uploading the real instructions to the 20 machines.
"Obviously the logic of the virus writers is to change the URL (pointing to the file) just before the attack starts. They're thinking about how we work and trying to make it harder," he said.
Without seeing the instructions that infected Sobig.F machines download by the thousands, it's impossible to know what the Sobig.F machines will be directed to do, Hypp"nen said.
For example, if the virus author sent instructions for the Sobig.F machines to download a file on Microsoft's web page or that of another high-profile target, it could create a massive denial of service attack, he said.
Previous editions of Sobig.F downloaded software programs that turn infected machines into "open proxies," Hypp"nen said. Open proxies act as email distribution hubs allowing massive waves of spam to be sent anonymously. Sobig.F's author may be planning to do the same.
Security experts have long noted the connections between the Sobig.F worm and the work of spammers, who use open proxies to cover their tracks while barraging email accounts with solicitations for pornography, "get rich quick" scams and cheap prescription drugs.
In an attempt to control the flood of spam email, ISPs have been cracking down on loosely managed open proxies, prompting spammers to look for ways to create new proxies, Hypp"nen said. Security companies have noted a correlation between the appearance of worms like Sobig.F and an increase in spam traffic from open proxies.
After deciphering the attack, F-Secure contacted Cert (the European Computer Emergency Response Team) and the FBI regarding the threat. The FBI then contacted the ISPs that the Sobig.F servers are using and asked them to suspend the machines' internet connections, Hypp"nen said.
By this morning, 12 of 20 Sobig.F servers had been taken offline and authorities were working to contact other affected ISPs.
The job of shutting down the servers has been complicated, in part because the Sobig.F authors took precautions when selecting the machines to use as servers, making sure that each was controlled by a different ISP worldwide.
The FBI has analysed the Sobig.F code and is aware of the planned attack, said Bill Murray, a spokesman for the FBI's cyber division. It is working with a number of security departments and federal agencies to develop a strategy to help suppress the worm's spread.