Ed Driscoll

Don't Mention The War

Over the weekend, I received quite a bit of German-based email about Dresden and World War II. At first, I thought it was related to a review I wrote a few weeks ago of Frederick Taylor’s 2003 book, Dresden: Tuesday, February 13, 1945. It turns out that it was actually spam generated by the latest version of the “Sober” mass mailing worm:

Sober.q uses both German and English-language messages to direct recipients to Web sites with right-wing German nationalistic content, according to an advisory from e-mail security company MX Logic. One of the URLs points to the Web site of the right-wing German NPD party, it says.

The security firm says that it had seen over 125,000 instances of Sober.q overnight Saturday and into Sunday, and labeled it as a high severity threat. The variant is downloaded by computers already infected by the Sober.p worm, which began circulating earlier this month, MX Logic says. The virus writers appear to have remote control over the Sober.p infected machines, giving them a network from which to launch future spam and denial of service attacks, it adds.

Spreading Propoganda

The latest Sober variant is one of a relatively new type of “propaganda spam,” meant to spread political messages rather than sell a product or service, MX Logic says. Circulation of the worm coincides with ceremonies marking the 60th anniversary of the end of World War II in Europe and examples of subject lines it sends include “Dresden 1945” and “Du wirst zum Sklaven gemacht!!!” (“You are made slaves!!!”), according to MX Logic.

“We are certainly seeing more propaganda spam,” says Graham Cluley, senior technology consultant with Sophos. Security researchers began detecting religious spam selling a particular view of life last year, Cluley says.

Although Sophos is seeing a lot of German-language spam sent by the new Sober variant, the worm itself doesn’t appear to be spreading anymore, Cluley says.

E-mail users are advised to update their spam filters to guard against the new Sober spam.

Makes sense to me.

Update: Charles Johnson spots some interesting subtext in some of the reporting of this virus and its contents.