Sober attack shouldn't bite, say antivirus experts

The Sober attack predicted to occur on 6 January should not be a problem, antivirus experts said on Wednesday.

As reported last month, machines that were infected by Sober in November have the potential to download malicious code from certain websites and then launch a new wave of viruses later this week.

But experts from antivirus companies F-Secure, MessageLabs and Websense all agreed this Sober attack is unlikely to have a major effect, as systems administrators and antivirus companies have had time to prepare.

Mikko Hyppönen, director of antivirus research at F-Secure, said: "There might be no attack at all. As everybody knows about the attack, the virus writer may lay low and attack at a later date. The ISPs involved can actively block malicious postings. It's more likely the attacker will lay low or be blocked, rather than succeed."

Dan Hubbard, senior director of security and research at Websense, agreed the attack would not have a major effect: "Sober has been mitigated pretty well. I would be really surprised if there's still a problem. I don't see it being a big issue."

F-Secure recommended systems administrators block the URLs of websites with malicious links but not the domains hosting the websites.

Hyppönen said: "We have listed URLs that we are recommending systems administrators block. We don't recommend blocking the whole domain, as 99 per cent of the pages on these free Austrian and German domains are OK. You should just block the problem URLs."

Mark Toshack, manager of antivirus operations at MessageLabs, agreed antivirus vendors should be able to mitigate the effects of the potential attack: "You'd hope everybody knows about the upcoming attack. All of the antivirus vendors know, and have updated their products to block signatures or detect malicious websites. Hopefully this will bottleneck the threat, and choke it off."

But some users may still be affected by an attack, Toshack added: "You will get a few people who aren't running any antivirus software on their desktop, and a percentage of people clicking on unknown websites."

MessageLabs advised systems administrators to acquaint themselves with information regarding Sober, and urged IT professionals to remind teleworkers to be cautious of emails that use social engineering to try to trick them.

Toshack said: "Systems administrators should make sure they've read up on all of the information on Sober coming from antivirus vendors - get well versed. Make sure your firewall is updated to block those specific URLs. Tell users to watch out for malicious links, especially those working from home who may be outside the firewall."

Tom Espiner writes for ZDNet UK