Shut down Sober-infected PCs, ISPs urged

ISPs were urged on Monday to check their user traffic patterns to locate and shut down machines infected with the mass-mailing Sober worm.

Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must warn infected customers so they can disinfect themselves.

Infected PCs were programmed to download new instructions from the internet last week, which would have heralded another attack. This update did not actually appear online but infected machines are still trying to download it.

F-Secure said on its blog: "ISPs: we urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they are likely to be infected with Sober and they should clean up their act."

Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial of service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack.

F-Secure said ISPs should let customers know they have been infected automatically and redirect users to sites so they can disinfect their machines.

Mikko Hypponen, director of antivirus research at F-Secure, said: "Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users.

"Service providers can automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want and can still connect users to Microsoft."

ISPs have an economic motive to inform users their machines have been compromised, Hypponen argued.

He said: "It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines."

But AOL said it would not be contacting consumers, as it put more emphasis on prevention of infection through email filtering and blocking links to certain websites. People who had been infected had access to McAfee antivirus services, AOL said.

Jonathan Lambeth, director of communications for AOL UK, said: "We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention."

Lambeth added: "Our anti-spam systems, which block more than 1.5 billion spam emails each day, block a large number of emails containing links to the Sober virus in the first place.

"Links are default-disabled on emails within AOL to prevent casual clicking on rogue links, requiring a more positive action to click through, although this setting can be switched off if the user prefers."

Tom Espiner writes for ZDNet UK