"There's nothing going on with Sober" at the moment, said Joe Telafici, director of operations at McAfee Inc.'s Anti Virus Emergency Response Team (AVERT)
All of the Web sites the last version of the Sober worm was programmed to reach out to and download malicious code from have already been disabled, he said. As a result, no malicious files are available for download by either infected systems or anyone else, he said.
Because the worm -- which surfaced on Nov. 22 -- and its variants have been around for a while, many systems are also likely to have been patched or otherwise protected against the threat, according to Mike Murray, director of vulnerability and exposure research at nCircle Network Security Inc. in San Francisco.
'From what we are seeing out there, things appear to be very much under control,' said Rajat Bhargava, president and CEO of StillSecure Inc., a Superior, Colo.-based security vendor. 'People feel like they may have dodged the bullet."
At the same time, it would be a mistake to dismiss the Sober threat entirely, he said.
'Sober is still out there. It's a sleeper threat,' he said. 'The fact that it can be remotely executed makes it scary."
The worm also contains an algorithm that every few days generates new URL addresses from which it then attempts to download malicious code, Telafici said. As a result, the worm could start spreading again in future.
The Sober worm and its variants are believed to have been authored by German hackers and have emerged as one of most prolific pieces of malware ever. The worm does not target any specific vulnerability. Rather, it requires users to open a malicious file attachment in e-mails or to click on links that contain malicious attachments.
The last version of the worm appeared on Nov. 22, Inauguration Day for Germany's first female chancellor. It was programmed to be reactivated at midnight GMT on Jan 5, when it was supposed to download and run malicious files from certain Web domains. Like other variants, the latest Sober version comes with its own SMTP engine to spread itself. But the code has been tweaked to send out copies much faster than earlier versions.
Even though the latest version appears to be doing little damage to corporate networks at the moment, there is still an enormous amount of e-mail traffic that is being generated by it, said Andrew Lochart, senior director of marketing at Postini Inc., a San Carlos, Calif.-based provider of e-mail management services.
In the last 24 hours alone, Postini has blocked over 53 million e-mails containing the latest Sober variant on behalf of its clients, Lochart said. That number is about 10 times higher than the next most prolific worm and represents close to 98 percent of all e-mails blocked by Postini, he said.
'It really is an astonishingly virulent worm' that has easily surpassed all other worms in history in terms of its propagation, he said. 'We've never seen a single worm or virus that has just kept going on and on like this one has."
The director of information security at a speciality retailer in California who wished to remain anonymous said that his company stopped a higher than normal volume of Sober-related e-mails at its network gateways last week. Starting around Dec 27, when the news of the Windows Metafile (WMF) flaw was disclosed, the company began seeing a sharp spike in the volume of e-mails -- from an average of about 1,500 to 2,000 per day to more than 50,000 e-mails that were filtered out by its perimeter defenses, he said.
'The biggest question is whether this represents the high water mark or if it will go higher,' he said.