In German, "unsolicited commercial email" is unaufgeforderte gewerbliche. But over the weekend a new Sober variant turned the information superhighway into an Autobahn for unaufgeforderte politische—unsolicited political material carrying messages of German nationalism.
Coinciding with the 60th anniversary of the end of World War II, the material was said to include URLs pointing to a website for the right-wing NPD Party in Germany, according to advisories from MX Logic, an email security company.
MX said they saw more than 125,000 incidents of the new variant, Sober.q, Saturday and Sunday, and determined it was a high-severity threat. Some of the subject lines imposed by the worm include "Dresden 1945" and "Du wirst zum Sklaven gemacht!!!" ("You are made slaves!!!"), the company said.
“Spam has been traditionally regarded as annoying messages that promote Viagra, porn, and low cost mortgages,” said MXLogic chief technology officer Scott Chasin, announcing the threat level for Sober.q. “But for the past year we have seen a trend in which worm authors are using spam not to hawk goods, but as a tool for political propaganda.”
The new Sober is downloaded by computers already carrying the Sober.p variant which hit the Internet running in early May, MX Logic continued, with the writers appearing to have remote control over Sober.p machines and thus a network for future spam and distributed denial of service attacks.
The worm doesn't need email to propagate but arrives in an email as a .zip file which, when opened, uses its own engine to send itself to email addresses in the victim's address book, MXLogic said.
"Thousands of innocent computer users are unknowingly spewing out this unwanted mail as the Sober author has taken control of their PCs," said Graham Cluley, senior technology consultant for antivirus and security firm Sophos, in a company report, adding that Sober.q also included links to news stories about previous Sober worms, suggesting the Sober.q author(s) are looking for notoriety in their own right.
"[B]ut it's unlikely that the thousands deluged with this spam will take kindly to his tactics," Cluley continued. "This latest piece of malware highlights the links between virus writers and spammers and reinforces the need for everyone to deploy regularly updated antivirus and anti-spam software as well as a firewall."
The good news, Cluley said, is that the spread slowed down considerably as the weekend came to an end.
Other subject lines provoked by the Sober.q spread included "Dresden Bombing Is To Be Regretted Enormously," "Armenian Genocide Plagues Ankara 90 Years On," and "Turkish Tabloid Enrages Germany with Nazi Comparisons."
Another security and antivirus company, F-Secure, said Sober.q is written in Visual Basic programming with a PE executable file 54KB long, packed with a modified UPX file compressor, and carrying its own SMTP engine, dropping three new files—services.exe, csrss.exe, and smss.exe—into a WinDir help folder created by the worm itself. It also drops in five empty files designed to deactivate previous Sober variants.
Sober.q is not the first Sober variant to truck with political propaganda. MXLogic said that in June 2004 Sober.h had a role in the first known use of a spambot network – programs harvesting email addresses to build mailing lists for spam from websites, newsgroups, and chat room conversations – to disseminate political spam.
