The Origin Of Sobig (And Its Next Phase)

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

Re:Instructions to cure worm.

[JohnGrahamCumming]

Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.

Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.

This was not written by a script kiddie.

John.

CNET Mistake

[brokencomputer]

http://wwwi.reuters.com/images/sobig_virus_graphic .gif is a really stupid diagram that isnt correct and is ambiguos probably causing many misconceptions in cnet readers and reuters readers.

To Clarify...

[NetJunkie]

It's been a busy week. I see a lot of people confusing the different worms/viruses running around.

SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.

Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.

Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.

Re:Stupid, Offtopic, Newbie, Question

[hankwang]

>Worms self-propogate. A virus only propogates when run by a user.

No, if the thing attaches to legitimate Word documents and executables and whatever, it is a virus. If it is a standalone program, it is a worm. See here. [wikipedia.org].

Worm vs. Virus

[jaaron]

A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.

There's a good answer on Broadband Report Forum [dslreports.com], or you could try Google [google.com].

Re:Sobig was created to defeat Bayesian Filters.

[JohnGrahamCumming]

Not sure this makes sense to me. I am running POPFile and it has been capturing SOBIG from the first reclassification I did and I haven't needed to do any more after that (POPFile seems to think the phrase "program cannot run DOS mode" and PIF attachments are spammy). So even if I did poison the corpus with that person's email address it has had little effect.

Secondly, because SOBIG includes its own SMTP server the header information in each of the mails will not be the same as the genuine header information from your regular correspondents. So POPFile (and other filters) would still see them as different.

John.

Re:Sobig was created to defeat Bayesian Filters.

[vondo]

Actually, SoBig mails appear to come from people with one degree of separation from me. People who people I know, know. Even with something like SpamAssassin which has "auto" white/black listing this is unlikely to be a problem since the penalty for sending one bad mail among many is low and very few of the mails I get are coming from addresses I recognize, let alone correspond with.

Saw the b'stard launched

[advocate_one]

some t0sser called Misiko posted a "DSC-00465.jpeg" file into some binary newsgroups on Monday 18th... it was really a *.jpeg.pif, and would have automatically infected any user browsing those groups using outlook express and image preview set on.

Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)

The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.

Perhaps that was it???

Re:this is why

[commodoresloat]

Actually, the first worms [std.com] had nothing to do with javascript or ActiveX, and existed long before them.

Virus author's other post

[indole]

Although google doesnt archive those groups, they did archive this message [google.com] posted by the virus author in alt.alt.test 9 minutes before the virus was posted elsewhere.

(You can compare to the message included here [easynews.com] from easynews)

Re:Virus author's other post

[advocate_one]

yup... that was him.

I actually posted a warning reply to the original post but was obviously too late.

WARNING - that's a virus. Don't download it... - was Re: Great, who's got more?? DSC-00465.jpeg

On Mon, 18 Aug 2003 19:55:13 +0000, Misiko wrote:

> DSC-00465.jpeg
> MZP

contained the following item:

DSC00465.jpeg.pif

do not in any circumstances open the OP if you're using ms-windows and OE
etc... I'm safe.

he was relying on people browsing usenet binaries with insecure newsclients... looks like fertile soil then.

Re:Idiots.

[mabu]

This is yet more evidence that the virus originates from the spam tech community as opposed to the P2P or computer programmer/utility community. It's main level of sophistication primarily involves rapid distribution, and has a very SPAM-like pathology of directing traffic to fixed points on the Internet. This is exactly what UCE does.

Re:Damn...

[kir]

Ummm... don't you mean schadenfreude [reference.com] (with an "r")?

Re:Quit using C/C++, lose the buffer overflows

[mabu]

We agree there are problems, but this IMO has little to do with the development language. C was designed to be low-level. If you don't like it, don't use it, but there have always been alternatives for programmers who aren't obsessive about quality and control...

You can write crappy programs in any language, and there are crappy libraries in every OS. At least with C if you want to re-invent the wheel you're doing in on a level that affords you the minimal performance and flexibility penalty.

Re:Another day, another worm

[shaitand]

The OSS community has exactly ZERO motivation to "get the product to market". In case you don't know it nobody is paying them millions or even buying them a bear for producing a release. In most projects MASSIVE amounts of time are spent looking for bugs and security holes. Want to help? You can go look for security holes in ANY project under development... turn in patches for legit holes and guess what, they'll be accepted.

Re:Instructions to cure worm.

[Anonymous Coward]

Why not have the worm/virus read Usenet through Google or other Usenet gateways looking for a specific message.

Why stop there? These things already sniff the web cache on the local machine for e-mail addresses. Why not scour the web cache to look for instructions? Then they can come from any page. If the user visits a web site where random visitors can post comments (ahem...) then there you go.

0xdeadbeef 1.2.3.4 66.35.250.150 1061685195

Re:What a nice guy though

[Jugalator]

If anyone is intersted, here's a "release history" :-P

SoBig.A [symantec.com]

- Copies itself over network shares to shared start up folders on other computers.
- Sends a message to an address on pagers.icq.com.
- Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
- Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
- Stores sent messages in the file %Windir%\Sntmls.dat.
- Uses 4 random subject lines.
- Uses 4 random attachemenet names.
- Always uses big@boss.com in the "From" field in the mails sent.
- Size: 65,536 bytes

SoBig.B [symantec.com]

Changes from SoBig.A:

- Always uses support@microsoft.com in the "From" field in the mails sent.
- Uses 9 random subject lines.
- Uses 9 random attachemenet names.
- Uses a deactivation date.
- Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
- Size: 52,898 bytes

SoBig.C [symantec.com]

Changes from SoBig.B:

- Always uses bill@microsoft.com in the "From" field in the mails sent.
- Uses 7 random subject lines.
- Uses 8 random attachemenet names.
- Size: ~ 59 KB

SoBig.D [symantec.com]

Changes from SoBig.C:

- Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

SoBig.E [symantec.com]

Changes from SoBig.D:

- Always uses support@yahoo.com in the "From" field in the mails sent.
- Uses 18 random subject lines.
- Uses 5 random attachemenet names.
- Size: 82,195 bytes (zip file), 86,528 bytes (executable)
- Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
- Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

SoBig.F [symantec.com]

Changes from SoBig.E:

- Size: about 72,000 bytes
- Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
- The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server