The Origin Of Sobig (And Its Next Phase)

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

Re: Wicked screensaver

[JohnGrahamCumming]

Please see the attached file for details.

Re: Wicked screensaver

[mjmalone]

WARNING!!! (from zidane.cc.vt.edu)

The following message attachments were flagged by the antivirus scanner:

Attachment [2.2] application.pif, virus infected: W32/Sobig-F. Action taken: deleted

PWN'D

Re:Another day, another worm

[Anonymous Coward]

Ultimately, could Microsoft be blamed for these viruses?

Of course not you tool. This worm spread VIA USENET AND E-MAIL. Christ, RTFA before spouting your anti-MS BS.

Re:What a nice guy though

[EpsCylonB]

Anyone else think this sounds like a bad hollywood plot ?

We only have 48 hours to shut down 20 randomn computers or the internet is brought to it's knees.

Already exists

[Ciderx]

Its called "W32/SitePostedOnSlashdot"

Re:What a nice guy though

[Anonymous Coward]

Speed meets The Net. Three cheers for Sandra Bullock!

No Problems Here

[Anonymous Coward]

I don't have any friends so I don't really get any e-mail.

this is why

[commodoresloat]

This is why worms need to be open source. Proprietary worms do a disservice to the worm community!

Re:Stupid, Offtopic, Newbie, Question

[MyHair]

What's the difference between a worm and a virus?

You see, a virus is what we doctors call
very very small. So small it could not possibly have made off with a
whole leg.

Who cares about the virus....

[Dark Lord Seth]

Which porn site was affected? I need to find out for er... damage control, yeah!

Re: What a nice guy though

[Black Parrot]

> Anyone else think this sounds like a bad hollywood plot? We only have 48 hours to shut down 20 randomn computers or the internet is brought to it's knees.

Worm author sells movie rights to pay legal fees...

Re:Idiots.

[MyHair]

Edit that slightly and send it to Microsoft:
-----
Come on, if you're going to write an OS, do it right.

Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who sued you, and trade alliances randomly).

Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.

Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).

In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.

Re:Movie - dear god, it's the plot of Hackers!

[Anonymous Coward]

Next stage will be when the sobig virus targets the stability software on oil tankers... and Angelina Jolie will rescue us with her superfast laptop running a huge *28.8 modem*...

Ahh... nostalgia for things that have only just happened - that's what I love about being a science fiction fan!

Re:Sobig was created to defeat Bayesian Filters.

[joepa]

I am a small businessperson[...]

I received an email a few days ago from someone who says that they can help you with this problem...

Re:What a nice guy though

[Anonymous Coward]

You're being redundant. All you have to say is "sounds like a hollywood plot." "Bad" is inferred.

You just like saying schadenfeude

[simetra]

Admit it.

Re: Wicked screensaver

[ChilyWily]

hehe- Couldn't resist: Today's userfriendly [userfriendly.org] strip is perfect :)

Re:Question

[Bin-tec]

So, when will us Mac users going to get some excitement with some viruses? I'm kinda bored about clicking on those links that won't do anything.

Re: y'know what I'm wondering...

[Black Parrot]

> Is why any virus writers ever get caught. [...] they simply have to go down to their local library and/or cyber cafe wearing a wig and makeup, stick the floppy in, click, then leave, what's the problem?

I used to do that, but I got tired of having all the geeks try to pick me up while I was there.

This is what the writer should have done.

[codepunk]

He should have had this virus download a copy of the linux kernel from the SCO web site and save it to the system. SCO would have loved this as they could have then sold a Unix Ware license to the entire world. Oh hell we could have even shown that SCO infact distributed the linux kernel to every PC in the world.

No damage

[Arandir]

Those that did were merely redirected to a porn site, no damage done.

No damage done! My dear poor mother got redirected to goatse.cx! The psychiatry bills alone will cost a quarter of a million dollars.

Re:Nobody seems to care.

[Safety Cap]

Because we don't send people to life terms, or subject them to death/dismemberment, for stealing said cars some people feel that it's worth the risk to do so.

If that were the case, then Texas would have zero homicides [harris.tx.us], since it is the hangingest state in the union.

Re:Question

[snake_dad]

Don't give mom the root password...

Re: Wicked screensaver

[eponymous flower]

Wicked?? Is this virus writer from Boston or 1986?

Re: Wicked screensaver

[Anonymous Coward]

There's really only one User Friendly comic [somethingawful.com]

Re:Quit using C/C++, lose the buffer overflows

[makapuf]

I was fortunately able to work entirely without C for the last 10 years or so

Whoah ! Where people able to understand what you told them ? Like, " 'mon ! hek that web page and ut n' paste the ommon errors !" But that's nothing ! I gave up with all vowels ! (ppl tnd t thnk spk lk n nsct, thgh).

Re:Another day, another worm

[Anonymous Coward]

Great points.

The Microsoft "O/S" has certainly bloated over the years, and is probably the main problem. As with any code shop, the biggest goal is just to get it to work!! Millions of lines of code, thousands of programmers, just organizing it sounds scary. And we always hear about the dates slipping -- and that's just to get it working in a non buggish sorta way. I doubt this leaves much time to try and figure out ways it can be exploited!

I could go on, but I really wanted to respond about your Palladium comment. Usually when I read stories about viruses, hacks, etc, I smile. Not maliciously, but just in the spirit of the hack. But lately, this kind of shit just makes me concerned that this will slide us into DRM. And that's bad.

By the way, isn't this an Outlook Explorer problem, and not really an OS problem? I was just wondering because I run Win98 on two main machines, without a virus checker. And have never been hit with these bad viruses. But I also sit behind a Linksys firewall, Zonealarm, use web-base email only, and don't click on EXE & SCR's.

Good point...

[Anonymous Coward]

Don't believe the parent.

Re:Another day, another worm

[magores]

I blame the the EU that clicks on the virus.

(Go ahead and make fun of the following thought process...)

---Gunsmiths make Guns = MS makes OS
---Bulletsmiths make Bullets = Virus writers make viruses
---Dumb people look at the bullet through the barrel and pull the trigger = Dumb people click on *.pif, *.scr ...

Re:Correction

[MegaFur]

Newsman: Next up on our program--when l33t sp33k meets Engrish [engrish.com]

Example [engrish.com]: !4ANG3R! A d@n93r0u5 +0y. +h15 +0y 15 b31n9 m@d3 4 +h3 x+r3m3 pr10r1+y +h3 900d luk5. The l1++l3 p@rt wh1ch 5uph0c@+35 when the sharp p@r+ which 93+5 hurt 15 5w@ll0w3d is c0n+@1n3d 93n3r0u5ly. 0n1y the p3r50n wh0 c@n +@k3 r35p0n51b1l1+y by 1+53lph 15 +0 p1@y.

You may now gibber.

Got you beat

[Anonymous Coward]

I don't even get any spam.

Re:What a nice guy though

[Anonymous Coward]

damn it.. if only we could stuff The Matrix in here we might be able to see Sandra Bullock in a cat suit...