Forgot your password?
typodupeerror
Worms Security

Russian Denies Writing SoBig Worm 67

Posted by timothy
from the nyet-nyet-nyet dept.
IphtashuPhitz writes "The Russian spamware programmer anonymously accused eariler this week of writing the Sobig worm has responded to the accusations. Ruslan Ibragimov of Send-Safe doesn't deny that his program uses proxies to hide spammer's identities. But he totally refutes the report's technical analysis in an online interview over at OReilly Network."
This discussion has been archived. No new comments can be posted.

Russian Denies Writing SoBig Worm

Comments Filter:
  • In soviet Russia the worms write YOU!
  • I don't buy it (Score:3, Interesting)

    by Commander Trollco (791924) on Wednesday November 03, 2004 @12:44PM (#10712772)
    The bit about headers is believable. But the opcode similarities are harder to defend- anyone know more about this and care to comment? He clearly has a motive, and should be lynched regardless of whether he actually wrote sobig.
    • by Anonymous Coward
      "He clearly has a motive, and should be lynched regardless of whether he actually wrote sobig."

      Man, the Bush ideology spreads so fast?
    • When merely having a motive justifies punishment, I hang my head and wonder just where the world's headed...
    • Re:I don't buy it (Score:2, Informative)

      by Anonymous Coward
      There are legitimate ways to compare executables (as opposed to the method used by the authors of "Who Wrote SoBig?").

      0) All of these ideas involve disassembly. http://www.datarescue.com/idabase [datarescue.com]IDA Pro is the best dsassembler on the market; all ideas below are implemented as extensions to it. Nothing even comes close to its sheer strength, except perhaps the underdeveloped, alpha knockoff http://lida.sourceforge.net/ [sourceforge.net]Lida.

      1) http://www.datarescue.com/idabase/flirt.htm [datarescue.com]FLIRT signatures work surprisingly
  • by jjeffrey (558890) <slash@noSpAm.jamesjeffrey.co.uk> on Wednesday November 03, 2004 @12:44PM (#10712773) Homepage
    ..I bet he dosen't feel SoBig now.
    • by iamlucky13 (795185) on Wednesday November 03, 2004 @12:58PM (#10713001)
      That's alright. He can sell himself some viagara.

      As long as we're on the topic of spam and such, I think slashdot has slashdotted itself. The "bush wins" thread is average at least a post every 3 seconds, who knows how many hits, and the server is crawling
      • Re:After all this.. (Score:2, Interesting)

        by jjeffrey (558890)
        The comment handling in SlashCode has always been a lot heavier to handle than the news pages. I think there is probbaly a lot more processing involved. I wonder how well optimised the SQL queires are and what the backend technology is - is it still MySQL? - UPADTEs and INSERTs are often going to be slower than SELECTs, but it may be worse if they are using MySQL in replicated mode with one master server to send all the updates too and a few slaves to do selects from. Though I guess that's unlikley with th
      • ..And speaking of that, has anyone else noticed the ugly worm crawling towards the US flag on the main page? Ominous sign?
  • Remember the rules (Score:5, Insightful)

    by Underholdning (758194) on Wednesday November 03, 2004 @12:45PM (#10712787) Homepage Journal
    Rule #1:
    Spammers lie!
  • by sczimme (603413) on Wednesday November 03, 2004 @12:48PM (#10712822)

    The report noted, for example, a strong similarity in the email headers created by Send-Safe and SoBig. But Ibragimov said Send-Safe chose the particular order of headers merely to mimic Outlook Express and to better evade spam filters.

    Somehow I think Ibragimov's righteous indignation over the accusation is a teensy bit misplaced...
  • WTF? (Score:5, Insightful)

    by Otter (3800) on Wednesday November 03, 2004 @12:48PM (#10712836) Journal
    Not that I'm shedding any tears for this guy but does "Anonymous person accuses other person by name on the basis of sketchy circumstantial evidence!" really merit this degree of publicity?
    • Re:WTF? (Score:3, Insightful)

      by gl4ss (559668)
      well.

      I found the biggest piece of evidence be the opcode similarities. which he doesn't comment at all, conviently.

      but would he ADMIT IT? with 250 000$ reward on his head? of course not. but I'd rather have had him refute it totally, by reasoning and not just claiming that it's bullshit(when he even admits himself that his full of bullshit and into selling software for harassing people who try to _not_ get harassed).

    • by hkb (777908)
      Not that I'm shedding any tears for this guy but does "Anonymous person accuses other person by name on the basis of sketchy circumstantial evidence!" really merit this degree of publicity?

      When said anonymous person's report lists some pretty damning evidence, such as header and code comparisons and analysis, ermm yes.
  • Proxie Shortage (Score:5, Interesting)

    by Rob Carr (780861) on Wednesday November 03, 2004 @12:50PM (#10712866) Homepage Journal
    From the article:
    "Trojans killed my business," he said, noting that many of his customers have recently migrated to "cracked" (pirated) versions of spamware programs such as Dark Mailer, for which they purchase lists of Trojaned proxies from hackers. .... Comments on Send-Safe's discussion forum appear to confirm that the company has had trouble providing users with sufficient proxies for sending spam.
    There's irony in this guy's complaint, and (assuming he didn't write SoBig) at least a little justice. "My heart bleeds for the Snicker-Snack Company" - Linus (the character from "Peanuts," not the software guy)
  • Well, well, well, (Score:3, Interesting)

    by cavac (640390) on Wednesday November 03, 2004 @12:56PM (#10712960) Homepage
    so he doesn't write viruses, just unwanted bulk mail. Makes me much more comfortable. not.
  • For sure he denies. (Score:5, Informative)

    by a_hofmann (253827) on Wednesday November 03, 2004 @12:57PM (#10712973) Homepage
    If you read the original report [tripod.com] you can see hard facts against Ruslan Ibragimov.

    The binary comparison in the report shows evidence for a correlation between Send-Safe and Sobig-F which could be proved if Ibragimov would be forced to open the Send-Safe source.
  • Hmm... (Score:5, Funny)

    by northcat (827059) on Wednesday November 03, 2004 @12:59PM (#10713014) Journal
    Maybe he wrote the "Who wrote the SoBig?" report himself to popularize his "Send-Safe" software... You never know...
  • I'd reserve the phrase "totally refutes" for occasions where.... this actually happens. What I saw of the "refutation" was a few bits of unconvincing excuses and loose logic. The similarity in headers and the number and length of exact code matches is compelling and proabably irrefutable evidence.
  • Surprise! (Score:5, Funny)

    by Se7enLC (714730) on Wednesday November 03, 2004 @01:00PM (#10713026) Homepage Journal
    Wow, this is surprising! I was expecting "Russian accused of writing SoBig worm admits to it, despite the flagrant lack of evidence to actually convict him of anything."

  • "Totally refutes"??? (Score:4, Interesting)

    by Zocalo (252965) on Wednesday November 03, 2004 @01:03PM (#10713063) Homepage
    Well let's see. Ibragimov makes a few claims such as "it's bullshit!", "it's a coincidence!" and gives a very brief outline of how SendSafe works, revealling nothing not in the report. He also claims he's not been spoken by any law enforcement agency regarding the matter, which is possibly true. Hardly a point by point rebuttal is it, and never mind the maxim "spammers lie" which means everything he says will be taken with a huge pinch of salt.

    The only interesting comment I found is that his company is currently having difficulties due to trojans, something that the SendSafe forums seem to confirm. That seems quite probable, but it hardly helps his case - why, exactly, would trojans be causing his SendSafe business any problems? Unless, of course, it might be something to do with other trojans that he didn't write such as NetSky/Sasser preventing SoBig getting as many hosts as it used to? Given that there was a spat between the various trojan authors, complete with a possible Russian connection, just before Sven Jaschen was arrested that at least seems entirely plausible to me.

  • by sulli (195030) *
    In modern Russia, worms write YOU!
  • by advocate_one (662832) on Wednesday November 03, 2004 @01:23PM (#10713341)
    attributed to Mandy Rice-Davies when asked to comment on Astor's denial of ever seeing her [fact-index.com]
    While giving evidence at the trial of Stephen Ward, Rice-Davies made the quip for which she is most remembered. When the prosecuting counsel pointed out that Astor denied having met her, she replied, "Well, he would, wouldn't he?"
  • Denied (Score:3, Funny)

    by Anonymous Coward on Wednesday November 03, 2004 @01:45PM (#10713686)
    "Only the true Messiah denies his divinity!"
  • He is innocent until proven guilty, just like Scott Peterson and O.J. Simpson.
    • But murders are only people who killed someone. Spammers are like lawyers: they're not actually people. And the subspecies who writes stuff for them aren't even spammers.

      Questions of "innocence" and "guilt" do not apply to these species; they don't have a concept for these things.

      Hopefully, one day, we will find a way to teach such things to these strange, primitive beings so that they can live beside humans in our struggle against the species that dominates this planet and threatens to wipe us out:
      • I wish I could mod you up. Someone actually modded you as off topic and my parent post was modded overrated.

        Sheesh, some people, no sense of understanding or humor. Apparently politicians mod on Slashdot. Who woulda thunk it?
  • The evidence... (Score:5, Insightful)

    by JohnGrahamCumming (684871) * <slashdotNO@SPAMjgc.org> on Wednesday November 03, 2004 @03:03PM (#10714938) Homepage Journal
    If you read the long boring document that fingers this Russian guy you'll see the following "evidence":

    1. Send-Safe and SoBig had same release dates. Where the margin on same is up to 10 days, and there are strange inaccuracies, for example the document states that on 5/23/2003 there was a SoBig release compiled on June 24, 2003. Other evidence hinges on the actions of SSSG without considering the possibilities that they were using a hacked version of Send-Safe.

    2. Document contains unfounded statements like "As SSSG appears to be a sizable organization, it would seem unlikely that any individual within the group would actually know the Sobig author(s)."

    3. The skills section is particularly funny since it lists skills like "Newsgroups" and states the the Russian has been posting on Newsgroups since 1998. Woo hoo!

    4. The use of %s section made me want to LOL. The authors see significance in the fact that neither piece of software uses %s to concatenate strings,
    sprintf( together, "%s%s", s1, s2 );
    would be unusual for any C programmer, yet
    sprintf( command, "RCPT TO:<%s>", rcpt );
    looks like something any C programmer would do.

    5. The note on string ordering with an example of SoBig vs Send Safe appears to me to show the opposite of what the authors intended. The two blocks look very different.

    6. A large part of the document is dedicated to showing how the two exectuables are "similar" at the opcode level. There is no actual evidence here, e.g. how about a disassembly of two identical blocks of code? The comparison is interesting, but doesn't tell us much without being able to see the actual code.

    Overall I though the PDF file was poorly written, lacking in rigor and provided no real evidence for the naming of this individual.

    Yes, he helps people spam, and that's very, very annoying, but "innocent until proven guilty" people? Or at least "innocent until you actually show some convincing evidence".

    John.
  • by MadFarmAnimalz (460972) on Wednesday November 03, 2004 @04:21PM (#10716066) Homepage
    This is RUSSIA, you morons.

    IT wrote HIM.

    Get your facts straight.
  • by Anonymous Coward
    The bit where he talks about headers is completely stupid and it shows that even on the interview he is lying. If you read the report, they say that Send-safe and sobig's headers are in the same order, which is different from outlook. So, he's lying.

    Here's the quote from the "Who wrote sobig" article:

    "Although these subtle differences suggest separate source code, the similarities suggest that Send-Safe was the
    template, and not other mailing programs such as Outlook, Netscape, The Bat!, or AMS.

    As these

  • Wow... this story's a whole FOUR hours old, and there's only been 50 or so comments on it? Could this possibly be the least commented-on story in Slashdot's history?

    If I didn't know any better, I'd think that there was something else on most people's minds! :)
  • "Ibragimov, 30, said no one from the FBI or any other law enforcement agency has ever contacted him about the SoBig worm." I wonder how FBI officers would contact Russian citizen in Russia :) No, imagine, that FSB (ex. KGB), or any other Russian secret service officer will knock your door in the middle of American Nowhere. In reality, if you want this guy to pay for his sins, write about this event to fsb@fsb.ru (the address is real, don't "test" it!), I guess after some requests they will consider talkin

That does not compute.

Working...