On Monday 2 May (PDT) Fortinet received the first samples of Sober.P, a Mass-mailer that sends itself to addresses harvested from the infected system. Messages are sent in German and English, which is similar to the techniques deployed by previous variants of the worm. As with other variants of the Sober worm, it originated in Germany. At first samples received were from Germany and surrounding areas, however, Fortinet soon received reported sightings of the worm from across Europe and the USA.
Once again, the creators of the worm resorted to developed social engineering techniques. Firstly, depending on the suffix of the email address the message was sent in English of German. Email addresses with the following strings received the message in German:
As computer users are more used to receiving malware or spam in English, such a technique may encourage them to lower their defences Secondly the some of the messages and attachments of the email (shown below), led unsuspecting victims to believe that the mail was related to football tickets from FIFA — again tempting some to click on the attachment Below are some examples of subject lines used by the virus -
Ihr Passwort Mail-Fehler! Ihre E-Mail wurde verweigert Ich bin’s, was zum lachen ;) Glueckwunsch: Ihr WM Ticket WM Ticket Verlosung WM-Ticket-Auslosung Your Password Registration Confirmation Your email was blocked mailing error
Below are some of the file attachments used by the virus -
%text%Fifa_Info-Text.zip %text%okTicket-info.zip %text%_PassWort-Info.zip %text%autoemail-text.zip %text%LOL.zip %text%mail_info.zip %text%our_secret.zip %text%error-mail_info.zip
Thirdly the worm deployed the increasingly common technique of circumventing email addresses related to some antivirus vendors — thus avoiding raising its profile amongst the community that may be able to stop its spread, increasing the window of opportunity for propagation.
Fortinet believes that as computer users become increasingly security aware, virus writers are having to constantly develop their social engineering techniques to entice them to click on malicious attachments.
Propagation statistics (derived from reports generated by Fortinet Fortigate™ systems, deployed worldwide, having eliminated the worm)
| Day one: | Sober.P represented 32 % of all reported viruses |
| Day two: | It represented 41 % of all reported viruses |
| Day three: | 38 % of all reported viruses |
| Day four: | 39 % of all reported viruses |
| Day five: | 36 % of all reported viruses |
| Day six: | 34 % of all reported viruses [ weekend ] |
| Day seven: | 36 % of all reported viruses [ weekend ] |
| Day eight: | 14 % of all reported viruses |
Based on these numbers it reached the number one position in Fortinet's list of top threats within 24 hours. Sober.P was to become the worst outbreak Fortinet has registered so far this year.
Sightings of the worm finally slowed down on May 10, dropping dramatically from 36% to 14% of all reported viruses. At this point Fortinet reduced its threat level from 4 (5= high, 1=low) to level 3. It would appear that on May 10 Sober.P put itself into a dormant state. However, the traffic it produces on an infected machine seems to indicate that we can expect more outbreaks when the virus "wakes up"…
For further information, please see: W32/Sober.P-mm description.
