MyDoom<\/a>. <\/p>\n\n\n\nWhat is the Sobig Worm? <\/h2>\n\n\n\n
Sobig was first recorded in the wild in January 2003. At the time, it was known as the Sobig.A variant. Months later, threat actors released new variants one by one, known as Sobig.B, Sobig.C Sobig.D, Sobig.E, and Sobig.F. The last version became the most devastating one.<\/p>\n\n\n\n
An interesting thing about Sobig is that it is not just a worm \u2014 it\u2019s also a Trojan. Sobig arrives to victims in emails that have subject lines ranging from receipt details to a supposed friend email about a movie. Inside would be a .pif document with an according to name. The actual text of the email would usually read \u201cSee the attached file for details\u201d \u2014 not the most sophisticated phishing attempt, but one that evidently worked more than well enough. <\/p>\n\n\n\n
After all, people weren\u2019t used to widespread email spam campaigns at all in 2003.<\/p>\n\n\n\n
Despite so many variants, most that released before the Sobig.F version didn\u2019t cause that much harm. They would distribute to hardcoded email addresses and were equipped with a stopping mechanism \u2014 a timer that decapitated when the worm would stop looking for new addresses and stop spreading. <\/p>\n\n\n\n
On top of that, 2003 was a popular year for worms \u2014 a lot of these programs surfaced at that time and supposedly low-risk Sobig was even called \u201ca nuisance\u201d by one security company. <\/p>\n\n\n\n
All of that changed when the F variant came about. <\/p>\n\n\n\n
This time, the worm learned to scan hard drives of machines that it infected for email addresses. It could scan various types of files, which made it quite successful. This behavior allowed Sobig to send itself to the contacts of the victim and drastically increased its infection rate.<\/p>\n\n\n\n
Interestingly, Sobig.F had a serious fault that didn\u2019t allow the worm to propagate through local networks. But this handicap didn\u2019t stop Sobig from becoming the fastest spreading worm of its time.<\/p>\n\n\n\n
The aftermath of the attack was nothing short of disastrous. Among other victims, BBC machines were infected and Sobig gained access to a large email list of contacts. In particular to a database of a radio show fans called “Archers”. Quite humorously, around the same time, the show released an episode where one of the characters was teaching how to use email. <\/p>\n\n\n\n
On top of that, Sobig caused Air Canada to temporarily suspend flights and slowed down computer traffic. At one point, experts believe that Sobig executable was carried in one of every 17 emails. One security company studied over 40 million emails and found Sobig in at least 50% of them.<\/p>\n\n\n\n
The worm was spreading so fast that one person claimed to have received a little over one hundred emails in just one day and allegedly recorded a period when an infected email would arrive every 6 minutes.<\/p>\n\n\n\n
Sobig malware Technical Details<\/h2>\n\n\n\n
Sobig first enters the machine of the victim as a malicious .pif file. Once the execution starts, the worm makes a copy of itself. Then, the malware creates a mutex to ensure that the machine is not already infected with another Sobig sample. After this, Sobig proceeds to create registry keys so that it can run when the system boots.<\/p>\n\n\n\n
After this, Sobig sends a message to a hardcoded email address. The message reads \u201chello\u201d and it\u2019s presumably used by the attacker to count the number of infections.<\/p>\n\n\n\n
At this point, the main malicious activity begins. Sobig propagates to all machines connected to the local network as well as to the roots of several hard drives on the initially infected PC. Then, it starts searching for possible email contacts in various file-types. Once this process is complete, the worm sends a copy of itself to every contact found on the infected device.<\/p>\n\n\n\n
Sobig authors<\/h2>\n\n\n\n
As of now, we still don\u2019t know who could have been the person behind the Sobig attacks. Microsoft has announced that they would pay a reward of 250,000 USD to anybody for information leading to the arrest of a responsible party. Despite the money on offer, nobody could track down the attacker.<\/p>\n\n\n\n
Some theories connect Sobig with Ruslan Ibragimov, a Russian citizen from Moscow, who is known as the creator of a spamming software called Send-Safe. The theory points to some similarities in code and suggests that Ruslan and a group of developers worked on Sobig together. However, Ibragimov himself has denied these accusations and was never linked to the worm conclusively.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
There is a lesson to be learned from the Sobig incident. If the \u201cArchers” show listeners would have paid attention to the instructions on how to use email, maybe the attack wouldn\u2019t have been as bad as it was. <\/p>\n\n\n\n
Email spam is still among the top initial attack vectors. And if criminals are still using it, that can mean only one thing \u2014 it\u2019s still working well for them. That means that people all around the world are opening infected emails and falling victim to phishing. In fact, somebody could be putting themselves in danger in your company right now.<\/p>\n\n\n\n
That\u2019s why it\u2019s always a top priority to educate people about email best practices and exhibiting caution. It\u2019s just like real-world pandemics \u2014 they are still happening because there are people who don\u2019t exercise necessary precautions. <\/p>\n\n\n\n
But, of course, you can\u2019t just stop using email and opening attachments. Unfortunately, malware, as well as phishing, are getting more and more sophisticated. This means that infected emails will get into your network, no matter how careful you are. Some won\u2019t even look suspicious at first glance.<\/p>\n\n\n\n
Thankfully, you can use ANY.RUN<\/a> to quickly and efficiently analyze emails. ANY.RUN is an online malware analysis service. It allows researchers to upload emails and run tasks with a variety of configurable parameters. Scanning an email only takes a few minutes, but it will keep you and the whole network safe! <\/p>\n\n\n\nSpread the word about the danger of email spam and stay safe online!
<\/p>\n","protected":false},"excerpt":{"rendered":"
Sobig, sometimes called Reteras, Palyh, and Mankx was a computer worm \u2014 a malicious program that can copy itself to propagate to new machines. Sobig is one of the most devastating malicious programs in existence. Reportedly, it caused damages worth over 35 billion US dollars. First surfacing in 2003, Sobig instantly smashed distribution speed records […]<\/p>\n","protected":false},"author":2,"featured_media":3063,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,7],"tags":[12,15,17,16],"class_list":["post-661","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-training","category-history","tag-history","tag-malware","tag-sobig","tag-worm"],"acf":[],"yoast_head":"\n
Malware History: Sobig - ANY.RUN Blog<\/title>\n<meta name=\"description\" content=\"Sobig \u2014 a malicious program that can copy itself to propagate to new machines. In 2003, it instantly smashed distribution speed records at the time.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Malware History: Sobig\",\"datePublished\":\"2020-09-16T11:22:00+00:00\",\"dateModified\":\"2022-12-21T06:56:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/\"},\"wordCount\":1138,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"history\",\"malware\",\"sobig\",\"worm\"],\"articleSection\":[\"Analyst Training\",\"Malicious History\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/\",\"name\":\"Malware History: Sobig - ANY.RUN Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2020-09-16T11:22:00+00:00\",\"dateModified\":\"2022-12-21T06:56:01+00:00\",\"description\":\"Sobig \u2014 a malicious program that can copy itself to propagate to new machines. In 2003, it instantly smashed distribution speed records at the time.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ILOVEYOU\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/tag\/iloveyou\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware History: Sobig\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN's Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware History: Sobig - ANY.RUN Blog","description":"Sobig \u2014 a malicious program that can copy itself to propagate to new machines. In 2003, it instantly smashed distribution speed records at the time.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Malware History: Sobig","datePublished":"2020-09-16T11:22:00+00:00","dateModified":"2022-12-21T06:56:01+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/"},"wordCount":1138,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["history","malware","sobig","worm"],"articleSection":["Analyst Training","Malicious History"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/","name":"Malware History: Sobig - ANY.RUN Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2020-09-16T11:22:00+00:00","dateModified":"2022-12-21T06:56:01+00:00","description":"Sobig \u2014 a malicious program that can copy itself to propagate to new machines. In 2003, it instantly smashed distribution speed records at the time.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-history-sobig\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"ILOVEYOU","item":"https:\/\/any.run\/cybersecurity-blog\/tag\/iloveyou\/"},{"@type":"ListItem","position":3,"name":"Malware History: Sobig"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN's Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/661"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=661"}],"version-history":[{"count":1,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/661\/revisions"}],"predecessor-version":[{"id":3813,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/661\/revisions\/3813"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3063"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}