North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Sobig.f surprise attack today

  • From: Irwin Lazar
  • Date: Fri Aug 22 15:12:13 2003

FYI:

------------------------------------------------------------------------
--------
At 1500 GMT, Mikko Hypponen, director of anti-virus research at
F-Secure, told New Scientist that 18 of the 20 internet addresses his
company had identified in the virus had been blocked. "But if even one
machine remains online at the deadline, anything could happen," he
warned.

Hypponen said F-secure had notified the FBI and internet service
providers who run the addresses listed in the worm and said some of the
companies have agreed to temporarily block access to those machines. The
target machines are based in Canada, USA and South Korea. 


Unreachable address


At 1750 GMT, New Scientist ascertained that all but one of the 20
addresses were inaccessible. The 19 unreachable addresses may have been
blocked, or could always have been protected by a firewall.

The last open address is in Toronto, and is provided by the internet
service provider Sympatico. Its spokesperson told New Scientist: "We are
aware of the virus and are working with local law enforcement to
identify the person behind the virus."

A possible reason for deliberately leaving an address open might be to
act as a "honey pot" - an address controlled by the authorities to
observe the worm in action. 

However, the latest analysis of SoBig.F has revealed that even if this
attempt to block access to the 20 addresses is successful, more action
may be needed. Infected machines are programmed to check twice a week at
the same time for new list of servers to contact. This new list could be
delivered via a new virus.
   

The existing list of 20 appears to list Windows PCs belonging to home
users and connected to the internet via always-on, ADSL broadband
connections, says Hypponen. "It is most likely that the party behind
SoBig.F has broken into these computers and they are now being misused
to be part of this attack."

The worm's previous variant, SoBig.E, downloaded a program that removed
the virus itself to cover its tracks, and then tried to steal the user's
network and web passwords.

But the machines infected with SoBig.F will try to connect to port 8998
on one of the hijacked machines. They will transmit a secret 8-byte
code, which will cause the hijacked machines to return a web link to a
site from which the malicious code can be downloaded.

Attempts to discover this target link have so far been foiled, as the
worm's writer used a bogus URL. Experts believe that this link would be
changed to the real one a few seconds before the deadline, too late for
companies to block.  
David Cohen