So, Who Wrote Sobig?

An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors. The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."

Mirror!

[Emrikol]

I'm a whore! Mirror: HERE! [decarbonated.org]

Kasperski

[mirko]

A French magazine [acbm.com] named Kasperski, a former KGB agent and now an antivirus publisher.
They said he happened to develop such things and then ask the major AV editors to bid in order to get the virus specs first...
Not sure if it's that accurate but it will sure raise some tin-foil-heads interest...

incase you cant get the article....

[VC]

Ruslan Ibragimov of Russia

not gmail invites

[Anonymous Coward]

The above links are not gmail invites. Look closely at the real URLs.

Re:motivation

[Anonymous Coward]

This is bs. The word linux did not appear once in the paper. Furthermore, all the other software written by him mentioned in the paper was windows software, mostly used for spamming.

Re:motivation

[Anonymous Coward]

5.4 Motive to Write Sobig Senders of spam typically relay their email messages through open proxy servers in a continuing effort to obscure the true sending host. With the proliferation of blacklists and other anti-spam systems, spam senders are finding it more and more difficult to locate available open proxy servers. By opening multiple proxy services on millions of compromised systems, a spam sender could very quickly and anonymously relay messages without the fear of being identified. Sobig provides the following two benefits for spam senders: 1. Sobig opens multiple proxy servers on systems that are not blacklisted; 2. Sobig spreads very quickly, infecting and re-infecting millions of systems in under a week. These benefits provide spam senders with a very large base of open proxy servers. Even though most of the infected systems will be cleaned within a week, there will be some systems that will remain infected to continually provide open proxies for weeks or even months. We believe that Sobig was most likely written to support spam software. Any user or developer of spam mailing software, including Ruslan Ibragimov and Send-Safe, would be financially eager to leverage malware such as Sobig.

Doesn't say anything about linux as far as I can see....

The text of sections 1 & 2 of the pdf

[Anonymous Coward]

One site was down before the story went active. The other shouldn't last long. The document is 48 pages. 26 are a hex dump. Here are two pages, sections 1 & 2, the Introduction and Overview. Pardon the messy text; I imported from PDF an fixed it up as best I could quickly.

1 About This Document

August 18, 2003 was a day of infamy in the world of computer software malware. The Sobig virus, as it was affectionately named by its the anti-virus industry, infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide.

Within two days after Sobig was released, an estimated $50 million in damages were reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20 million users! After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing operations within even the most advanced technology companies, such as Lockheed Martin. Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program.
Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author. As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:

By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s);

This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well;

Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation.

The following public PGP key is provided for document validation, with the private key component safely locked away as to eliminate any future chance of a lost key pair. Any individual or entity that claims authorship should be able to validate their 'authorship' by signing a message with the corresponding PGP private key.

The included PGP public key prevents unscrupulous people from claiming ownership of this document or attempting to collect the Microsoft bounty;

As this document is present on multiple mirrored sites and has been turned over to law enforcement, anyone modifying the PGP public key will be unable to pass a fake key for potential bounty award;

This PGP public key will only be included is this document. Other documents, where malcontents attempt to place our ownership on other findings, should be considered forgeries unless they include a message
signed with the PGP private key.

In the event that any individual or entity may be able to identify the authors of this document, we urge you to respect our request for anonymity.

2 Overview

Sobig was a virus specifically designed to aid the anonymity of spammers. Sobig opened up services that enabled spammers to relay their emails anonymously. Although publicly the motivation and author of the Sobig virus is unknown, through the use of forensics and profiling, we have identified a very likely suspect and motive. Our research indicates that Ruslan Ibragimov of Moscow, Russia, and/or Ibragimov's development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited em

Another mirror

[alienfluid]

Another mirror here [lafayette.edu]

Re:motivation

[Daedala]

Where did you get that idea? I admit didn't have time to read the entire paper thoroughly -- I just skimmed it -- but I don't see any anti-Windows sentiment discussed. They're pretty clear that they think the motive for SoBig was spam:

5.4 Motive to Writing SoBig
......
We believe that Sobig was most likely written to support spam software. Any user or developer of spam mailing software, including Ruslan Ibragimov and Send-Safe, would be financially eager to leverage malware such as Sobig.

Writing viruses for spam propagation is big business. [oreillynet.com]\

Re:Good American Programmers?

[SonicBurst]

I don't know if you read much code, but most virus code is horrible. Quite a bit of it is straight from a point-and-click virus builder, and the stuff that is hand written tends not to work as intended. Of course, I am talking about a virus, so maybe it works just like the author wanted it to for all I know....

Re:Copyright

[r2q2]

In the document and website they allow anyone to copy and distribute it. RTFA before posting

Re:Circumstantial evidence.

[JASegler]

If you actually read the PDF you would see that they compared the opcode sequences between sobig and various programs.

The important bit is that when sobig was compared to Atomic Mail Sender (AMS) they didn't find much in the way of opcode sequence matches. What was there was standard glue code that just has to be there.

When they compared sobig to Send-Safe they found big chunks of common code, strings, etc.

And they don't say that Ruslan Ibragimov is the author. They say he and/or his development team.
Assuming he has 4-5 developers working for him it could be one developer who swiped the Send-Safe code and used it to develop sobig. Although I would bet on Ruslan giving the nod on the development of sobig.

This type of analysis is how people find GPL violations. Unless you take alot of effort to completely rearrange the code it keeps the same signatures, embedded strings, etc.

The analysis appears to be sounds. LEA should use Ruslan as a starting point to track down the person(s) responsible for sobig.

But since we are talking about spam tool/virus/worm writers I think the Aliens quote is best..

I say we dust off and nuke the site from orbit. It's the only way to be sure.

-Jerry