The Origin Of Sobig (And Its Next Phase) 500
MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.
Re:Instructions to cure worm. (Score:5, Informative)
Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.
This was not written by a script kiddie.
John.
CNET Mistake (Score:2, Informative)
To Clarify... (Score:5, Informative)
SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.
Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.
Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.
Re:Stupid, Offtopic, Newbie, Question (Score:2, Informative)
No, if the thing attaches to legitimate Word documents and executables and whatever, it is a virus. If it is a standalone program, it is a worm. See here. [wikipedia.org].
Worm vs. Virus (Score:5, Informative)
There's a good answer on Broadband Report Forum [dslreports.com], or you could try Google [google.com].
Re:Sobig was created to defeat Bayesian Filters. (Score:4, Informative)
Secondly, because SOBIG includes its own SMTP server the header information in each of the mails will not be the same as the genuine header information from your regular correspondents. So POPFile (and other filters) would still see them as different.
John.
Re:Sobig was created to defeat Bayesian Filters. (Score:4, Informative)
Saw the b'stard launched (Score:5, Informative)
Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)
The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.
Perhaps that was it???
Re:this is why (Score:4, Informative)
Virus author's other post (Score:5, Informative)
(You can compare to the message included here [easynews.com] from easynews)
Re:Virus author's other post (Score:3, Informative)
I actually posted a warning reply to the original post but was obviously too late.
he was relying on people browsing usenet binaries with insecure newsclients... looks like fertile soil then.
Re:Idiots. (Score:3, Informative)
Re:Damn... (Score:3, Informative)
Re:Quit using C/C++, lose the buffer overflows (Score:3, Informative)
You can write crappy programs in any language, and there are crappy libraries in every OS. At least with C if you want to re-invent the wheel you're doing in on a level that affords you the minimal performance and flexibility penalty.
Re:Another day, another worm (Score:3, Informative)
Re:Instructions to cure worm. (Score:1, Informative)
Why stop there? These things already sniff the web cache on the local machine for e-mail addresses. Why not scour the web cache to look for instructions? Then they can come from any page. If the user visits a web site where random visitors can post comments (ahem...) then there you go.
0xdeadbeef 1.2.3.4 66.35.250.150 1061685195
Re:What a nice guy though (Score:4, Informative)
SoBig.A [symantec.com]
- Copies itself over network shares to shared start up folders on other computers.
- Sends a message to an address on pagers.icq.com.
- Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
- Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
- Stores sent messages in the file %Windir%\Sntmls.dat.
- Uses 4 random subject lines.
- Uses 4 random attachemenet names.
- Always uses big@boss.com in the "From" field in the mails sent.
- Size: 65,536 bytes
SoBig.B [symantec.com]
Changes from SoBig.A:
- Always uses support@microsoft.com in the "From" field in the mails sent.
- Uses 9 random subject lines.
- Uses 9 random attachemenet names.
- Uses a deactivation date.
- Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various
- Size: 52,898 bytes
SoBig.C [symantec.com]
Changes from SoBig.B:
- Always uses bill@microsoft.com in the "From" field in the mails sent.
- Uses 7 random subject lines.
- Uses 8 random attachemenet names.
- Size: ~ 59 KB
SoBig.D [symantec.com]
Changes from SoBig.C:
- Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.
SoBig.E [symantec.com]
Changes from SoBig.D:
- Always uses support@yahoo.com in the "From" field in the mails sent.
- Uses 18 random subject lines.
- Uses 5 random attachemenet names.
- Size: 82,195 bytes (zip file), 86,528 bytes (executable)
- Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
- Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.
SoBig.F [symantec.com]
Changes from SoBig.E:
- Size: about 72,000 bytes
- Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
- The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server