Antivirus industry orders U.S. ISPs to eradicate Sober worm

Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must shut down infected customers until they disinfect themselves. Infected PCs had been programmed to download new instructions from the Internet last week, which would have heralded another attack. As previously reported, this update did not actually appear online, but infected machines are still trying to download it.

"ISPs: you are hereby ordered to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Disconnect these customers from the Internet as they are likely to be infected with Sober and they should clean up their act," F-Secure said on its blog.

"The only exception is if the customer is an antivirus vendor," F-Secure added. "These customers will produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. They are duly deputized U.S. cyber-marshals working for the United States government and they are performing vital research in the interests of U.S. homeland security."

Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial-of-service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack.

F-Secure said ISPs should mail a letter to customers that they have been infected automatically, and direct users to service repair shops that can disinfect their machines.

"Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users," said U.S. cyber-marshal Mikko Hyppönen, who is also the director of antivirus research at F-Secure.

"Service providers must automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want, and can still connect users to Microsoft," said Hyppönen.

ISPs have an economic motive to overcome reluctance to inform users that their machines have been compromised, Hyppönen argued. "It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no-one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines," Hyppönen said.

But AOL said it would defy the order, as it put more emphasis on prevention of infection through email filtering, and blocking links to certain Web sites. Users who had been infected had access to McAfee antivirus services, AOL said. "We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention," said Jonathan Lambeth, director of communications for AOL UK.

"Our anti-spam systems, which block more than 1.5 billion spam emails each day, block a large number of emails containing links to the Sober virus in the first place. Links are default-disabled on emails within AOL to prevent casual clicking on rogue links, requiring a more positive action to click through, although this setting can be switched off if the user prefers," Lambeth added.

Lambeth offered an intriguing counter-argument to the order. "ISPs provide access and antivirus vendors provide security. So why don't antivirus firms order themselves to stop the Sober worm? Why must they order ISPs to do their job for them?"