London, 16 May 2005 At approximately 5.45am on 15th May MessageLabs began intercepting a large number of German right-wing spam emails being generated from machines infected with a new variant of the Sober worm. The sober worm, which has been around since 2003, shows a uniqueness in its strategy.

Says Stephen White, Head of Anti-Spam Technical Operations within MessageLabs: “This latest attack by the Sober author is comparatively sophisticated and has obviously been well planned; it appears that previously unexploited networks of machines infected with earlier incarnations [Sober.P, aka N,O,S,Q,V was first intercepted by MessageLabs on the 2nd May] of the Sober worm have been remotely commanded to download this latest variant - Sober.Q - in order to spam out huge volumes, while at the same time circumventing spam filters for as long as possible.

The spam emails, which are mostly in German, use approximately 72 varying subject lines. Each mail contains a single URL directing recipients to a range of legitimate online articles in reputable German newspapers and magazines promoting political messages with right-wing tendencies. Others have also been found to contain URLs that link to articles on previous Sober outbreaks.

Says Stephen White: “Almost all of the spam emails have been sent from otherwise clean IP addresses and will have gone largely undetected by spam filters not deploying proactive detection techniques for unknown sources of spam. The spam attack has also been conveniently deployed to coincide with a German public holiday.

“It would seem that the virus author has stored up networks of infected machines around the world holding them on standby to deploy at specific times – in this case, to successfully spread politically-motivated propaganda. Whether the author is a right-wing activist himself trying to influence public opinion or whether he is looking to tout his wares to groups that may be interested in paying for his services remains to be seen. It might not be a coincidence that on 22nd May regional elections will take place in Northrhine Westfalia.”

“The scale of this particular outbreak further highlights the extent of the threat from converged virus and spam techniques; after the release of a new virus or variant, we increasingly see massive spam attacks follow in quick succession. While spam was once just a nuisance, here we see not only how it can be used for far more malicious purposes, but how it can be propagated so widely when used in conjunction with viruses. Such malware attacks underline the need for businesses to deploy more responsive security countermeasures, such as 24x7 managed services, which enable such malware to be intercepted at either hour zero or very early on after first detection.”

About MessageLabs

MessageLabs is the world's leading provider of email security and management services with more than 11,000 clients and offices in eight countries. For more information, please visit http://www.messagelabs.com