The spam attack, first detected on Saturday, is continuing.
"This latest attack by the Sober author is comparatively
sophisticated and has obviously been well planned," said Stephen
White, Head of Anti-Spam Technical Operations within security firm
MessageLabs.
"It appears that previously unexploited networks of machines
infected with earlier incarnations [Sober P, aka N,O,S,Q,V] of the
Sober worm have been remotely commanded to download this latest
variant – Sober Q – in order to spam out huge volumes, while at the
same time circumventing spam filters for as long as possible."
Sober P hit the headlines earlier this month, when the mass
mailing worm proved to be very successful in luring victims to open
its attachments.
Some of the messages were sent in English, referring to
passwords, mailing errors and registration confirmations, but
others were written in German and offered tickets to the World Cup
– an offer that many found too attractive to resist.
Once installed in a machine, the worm simply mailed itself to
addresses harvested from the hard drive. However, the worm has now
shown itself to have another purpose, allowing hackers to set up a
bot network – a network of infected computers that can be remotely
exploited to forward junk e-mail and viruses without the knowledge
of the PC user.
According to MessageLabs, the spam attack e-mails, which are
mostly in German, use approximately 72 varying subject lines. Each
e-mail contains a single URL directing recipients to a range of
legitimate on-line articles in reputable German newspapers and
magazines promoting political messages with right-wing tendencies.
Others have also been found to contain URLs that link to articles
on previous Sober outbreaks.
"Almost all of the spam e-mails have been sent from otherwise
clean IP addresses and will have gone largely undetected by spam
filters not deploying proactive detection techniques for unknown
sources of spam," explained Stephen White.
The subject of the messages marks a twist in the evolution of
spam, which until now has been used to advertise such things as
porn, get-rich-quick schemes and pharmaceuticals. Propaganda spam,
as in this campaign, is a relatively new phenomenon.
According to reports, the timing of the attack may be related to
regional elections that are due to take place in Northrhine
Westfalia on 22nd May. It may also be influenced by the recent
celebrations to mark the 60th anniversary of the ending of the
Second World War.
