Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Worms Security

So, Who Wrote Sobig? 187

An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors. The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."
This discussion has been archived. No new comments can be posted.

So, Who Wrote Sobig?

Comments Filter:
  • Mirror! (Score:5, Informative)

    by Emrikol ( 21551 ) * <emrikol.decarbonated@org> on Monday November 01, 2004 @12:01PM (#10686217) Homepage
    I'm a whore! Mirror: HERE! []
  • by Anonymous Coward on Monday November 01, 2004 @12:02PM (#10686226)
    Not me.
  • by Anonymous Coward
    What do they have 10MB of transfer a day?
  • by Anonymous Coward on Monday November 01, 2004 @12:03PM (#10686255) been posted publicly but on Geocities and and Tripod. So you can have a look...

    Ummm, you realize that you're telling the entire /. community that they should look at Geocities and Tripod accounts, right? This should last, oh, about 5 seconds.

  • Kasperski (Score:5, Informative)

    by mirko ( 198274 ) on Monday November 01, 2004 @12:05PM (#10686281) Journal
    A French magazine [] named Kasperski, a former KGB agent and now an antivirus publisher.
    They said he happened to develop such things and then ask the major AV editors to bid in order to get the virus specs first...
    Not sure if it's that accurate but it will sure raise some tin-foil-heads interest...
    • Re:Kasperski (Score:5, Insightful)

      by gmuslera ( 3436 ) on Monday November 01, 2004 @12:43PM (#10686845) Homepage Journal
      The old myth that says that the antivirus makers are the ones that are developing virus? I use AVP/KAV [] since a decade ago, first in DOS and now in Linux, and is one of the best (if not THE best) available antivirus on the market.

      Even know someone that programmed a test virus long time ago, and sent to antivirus publishers to see how well it could be detected, and the response from the community of that time, specially the people from Kaspersky, was very against that kind of "tests", so is very improbable what you are telling there (and that includes too most of the other biggest players 10 years ago if the same is said about i.e. F-Prot or McAfee people)

      At least without hard proof (not just speculation or just urban myths) i would give that notice the same weight as that Bill Gates is sending big bucks to any that continues a chain letter.

      • If you'd ever used AVP on windows... well, scratch that. If you had lately used AVP on windows, you would not think that it was the best or even one of the best available antivirus programs around. When it came out it was the best NT scanner available but then it went right in the toilet, something about the way it scans impacts system performance more than Symantec AV 9 or Avast!, the only other two virus scanning applications I've compared it against to be honest. Still, one of those is freeware, so AVP c
      • If I were an antivirus company writing viruses and someone came up to me asking to use a "test" virus I'd be very public about not approving of that sort of behaviour.
      • wow, I have owned my own pcs since about 1992 and been online since about 1994 and I have NEVER had ANY virus software on any of my pc's (windows xp os currently on my main pc) which are on and connected 24/7.

        Don't believe the rubbish these idiots spew. The only virus software you need is common sense.
        • Re:Kasperski (Score:3, Insightful)

          by gmuslera ( 3436 )
          Never was infected by a virus myself. But had a BBS whose files were checked against virus, worked in LANs where workers had not a lot of common sense sometimes, and avp is pretty good for checking for virus in mail servers (i.e. teamed up with anomy sanitizer []).

          To be "unprotected" from virus is ok if you have common sense, firewalls and safe software (i.e. windows is not in that category, and if well linux is pretty safe against virus, maybe is not 100% safe against worms), but when you talk about a lot o

        • That used to be true, but with things like IE bugs you never know.

          I've got a machine that sits in the corner and generally doesn't get used a lot. The other day it came up with a bizarre dialog - "Windows Messenger is shutting down". Well the messenger service is disabled on that machine, so I pulled the plug and ran AVG across it - found a trojan embedded in the "System Restore" folder (which is also disabled, precisely for that reason, as trojans re-install themselves on reboot if you clean them with t
  • by VC ( 89143 ) * on Monday November 01, 2004 @12:05PM (#10686282)
    Ruslan Ibragimov of Russia
  • Heh... (Score:5, Funny)

    by Blue-Footed Boobie ( 799209 ) on Monday November 01, 2004 @12:07PM (#10686300)
    Kinda funny how the BSD devil up on the /. bar is looking at the worm...maybe he fears retribution?
    • Perhaps with the security reputation of the *BSD shall slay the Worm instead of fear. He is facing the worm head on with a pitchfork in his hand...
  • by Wig ( 778245 )
    There never seems to be any good American programmers who write malicious code and viruses like this. Ah well, where's Kevin Mitnick? :-P
    • There are more computer users in the US than many other countries. So, are "hackers" in US sitting back because of fear?

      Actually, this cannot be attributed to tougher law enforcement or any other similar reasons. The thing is that there are not that many big Viruses/Worms/Anything-else-you-want-to-call-them around. So the possibility of the virus-writer being from any random country is almost equal. (My English skills arent so good, so please forgive me if my sentences werent clear.)
    • by SonicBurst ( 546373 ) on Monday November 01, 2004 @12:29PM (#10686598) Homepage
      I don't know if you read much code, but most virus code is horrible. Quite a bit of it is straight from a point-and-click virus builder, and the stuff that is hand written tends not to work as intended. Of course, I am talking about a virus, so maybe it works just like the author wanted it to for all I know....
    • There never seems to be any good American programmers who write malicious code and viruses like this.

      It all got outsourced to Asia.

    • Most of the time those programmers are doing constructive things. Its only the underpaied programmers that are disgruntled or program viruses for profit thats who would write the good malicious code.
    • Ahh well, the explanation is simple.

      In the US, we had the Hacker Crackdown [] of the late 80's and early 90's where law enforcement started taking computer crime a little more seriously. Plus, after Kevin Mitnick was forbidden from accessing a computer for years that would probably be enough to discourage most U.S. hackers.

      On the other hand, mosst of these worm-writers have been writing their viruses and malware in countries that have computer crime laws that are either weak, not enforced, or both. Thus,

    • I suppose if I lived in Siberia surrounded by hairy fat women, I'd have the motivation to focus on virus writing too. For that I am jealous.

      I always wonder what sort of virus writing potential I could have had if I wasn't f'ing supermodels in southern california. Im going to go out front, their shooting another episode of baywatch... wait, thats just a bunch of girls... my bad.

      No slashdot readers will believe me, watch.
  • Viruses for profit (Score:5, Interesting)

    by Tx ( 96709 ) on Monday November 01, 2004 @12:15PM (#10686414) Journal
    Malware written for fun isn't any less damaging, I guess, but when apparently written specifically for a commercial purpose (sending spam in this case) it's certainly more annoying IMHO. At least if this case is anything to go by, there's likely to be more of a forensic trail left by the perpetrators due to the associated commercial activities. I hope this Ibragimov guy gets what's coming to him.
    • by Daedala ( 819156 ) on Monday November 01, 2004 @12:36PM (#10686701)
      Malware for profit is worse.

      The problem isn't that professionals are necessarily better than amateurs at a task -- we know this isn't true. But being a professional allows you to work full-time on something. Many people are motivated by financial rewards (and egoboo doesn't put bread on the table, either).

      When a lot of money gets involved, organized crime gets involved, and they bring with them the infrastructure for serious misdeeds.

      I want my script kiddiez back.

    • Okay so he gets some felony conviction. Will this make corporate america stop buying windows based systems and if they don't then run them without a firewall?

      Will people wise up to the fact that allowing binaries in email is just dangerous?

      Toss 1 million hackers in prison, a kid with a visual basic book and an hour to burn can take down most systems. That's the problem; we're all driving pintos and complaining about yellow lights being too short. Treating just the symptom gets old fast.

      Oh well I gotta g
  • by Anonymous Coward on Monday November 01, 2004 @12:16PM (#10686418)
    One site was down before the story went active. The other shouldn't last long. The document is 48 pages. 26 are a hex dump. Here are two pages, sections 1 & 2, the Introduction and Overview. Pardon the messy text; I imported from PDF an fixed it up as best I could quickly.

    1 About This Document

    August 18, 2003 was a day of infamy in the world of computer software malware. The Sobig virus, as it was affectionately named by its the anti-virus industry, infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide.

    Within two days after Sobig was released, an estimated $50 million in damages were reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20 million users! After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing operations within even the most advanced technology companies, such as Lockheed Martin. Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program.
    Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author. As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:

    By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s);

    This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well;

    Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation.

    The following public PGP key is provided for document validation, with the private key component safely locked away as to eliminate any future chance of a lost key pair. Any individual or entity that claims authorship should be able to validate their 'authorship' by signing a message with the corresponding PGP private key.

    The included PGP public key prevents unscrupulous people from claiming ownership of this document or attempting to collect the Microsoft bounty;

    As this document is present on multiple mirrored sites and has been turned over to law enforcement, anyone modifying the PGP public key will be unable to pass a fake key for potential bounty award;

    This PGP public key will only be included is this document. Other documents, where malcontents attempt to place our ownership on other findings, should be considered forgeries unless they include a message
    signed with the PGP private key.

    In the event that any individual or entity may be able to identify the authors of this document, we urge you to respect our request for anonymity.

    2 Overview

    Sobig was a virus specifically designed to aid the anonymity of spammers. Sobig opened up services that enabled spammers to relay their emails anonymously. Although publicly the motivation and author of the Sobig virus is unknown, through the use of forensics and profiling, we have identified a very likely suspect and motive. Our research indicates that Ruslan Ibragimov of Moscow, Russia, and/or Ibragimov's development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited em
  • by Anonymous Coward
    Best deals: Worms
  • Coralized mirror (Score:3, Insightful)

    by Randar the Lava Liza ( 562063 ) on Monday November 01, 2004 @12:16PM (#10686428) Homepage
    Why aren't all link submissions required to include a mirror? Ah well, here's the Coralized link []
  • Another mirror (Score:2, Informative)

    by alienfluid ( 677872 )
    Another mirror here []
  • by hex1848 ( 182881 ) on Monday November 01, 2004 @12:24PM (#10686528) Homepage
    I glanced through most of the points the authors make in this document and most of the evidence (if not all) is circumstantial. Although there are a lot of similarities that could lead you to think that he did it, I don't think comparing the skill sets needed write the program to his newsgroup/forum posts and similarities in headers warrants an inquisition.

    Granted he should probably burn at the stake just for writing SPAM software...
    • the only compelling evidence they mentioned was the identical blocks of code in the binaries, and they didnt really discuss go into detail about their findings.
    • by JASegler ( 2913 ) <jasegler&gmail,com> on Monday November 01, 2004 @01:02PM (#10687163)
      If you actually read the PDF you would see that they compared the opcode sequences between sobig and various programs.

      The important bit is that when sobig was compared to Atomic Mail Sender (AMS) they didn't find much in the way of opcode sequence matches. What was there was standard glue code that just has to be there.

      When they compared sobig to Send-Safe they found big chunks of common code, strings, etc.

      And they don't say that Ruslan Ibragimov is the author. They say he and/or his development team.
      Assuming he has 4-5 developers working for him it could be one developer who swiped the Send-Safe code and used it to develop sobig. Although I would bet on Ruslan giving the nod on the development of sobig.

      This type of analysis is how people find GPL violations. Unless you take alot of effort to completely rearrange the code it keeps the same signatures, embedded strings, etc.

      The analysis appears to be sounds. LEA should use Ruslan as a starting point to track down the person(s) responsible for sobig.

      But since we are talking about spam tool/virus/worm writers I think the Aliens quote is best..

      I say we dust off and nuke the site from orbit. It's the only way to be sure.

    • Perhaps you missed the sections about large sequences of opcodes in SoBig matching opcode sequences in Send-Safe. That's pretty damning evidence.
    • by analog_line ( 465182 ) on Monday November 01, 2004 @01:07PM (#10687249)
      Well, you obviously didn't glance through all of the points, as you neglect to mention the opcode simmilarities, timeline of significant releases of both pieces of software and the activites of groups known to use Send Safe, and SoBig.

      Not to mention the exhaustive opcode comparison diagram at the end of the document.

      Circumstantial evidence, it may be, but that doesn't mean it's not valid. And what is forensics aside from a circumstantial investigation? Getting as many facts as you are able to directly observe in order to come to a logical conclusion about a question you can't directly observe the solution to.
    • by Anonymous Coward
      Hopefully when you "glanced through" the article you also read that there is evidence that Sobig and Send-Safe (spam software that Ruslan sells) share source code. By comparing the opcodes of the two executables, they find many long sequences that match.

      Also, don't forget to mention that the article reveals a version of Send Safe was exploiting infected Sobig machines before news of Sobig was ever announced.

      So you see, its not just about the skill set needed, Ruslan's forum posts, or the header similariti
  • Avast, slashbots! (Score:5, Interesting)

    by naitro ( 680425 ) <> on Monday November 01, 2004 @12:25PM (#10686536)
    Let's all go visit [] the guy. Even if he didn't write Sobig, he's still developing software for spammers.
  • In Soviet Russia... oh, nevermind.
  • I wrote the virus which made the whole world cringe.
    I wrote the virus which screwed up things
    I wrote the virus that made system administrators cry
    I wrote the virus, I wrote the virus

  • Just... (Score:3, Funny)

    by grasshoppa ( 657393 ) <skennedy@tpn o - c o .org> on Monday November 01, 2004 @12:30PM (#10686613) Homepage
    ...tell me what address to mail ticking package to.
  • The anonymous authors have done really interesting technical forensics.

    The executable comparison charts between Send-Safe and Sobig-F in the appendix show a large correlation in both binaries. A different code base seems to be a pretty unrealistic thing there.

    If the given facts hold true, I bet that Ruslan Ibragimov will not sleep very well in the next time.
  • by NotQuiteReal ( 608241 ) on Monday November 01, 2004 @12:59PM (#10687115) Journal
    Script kiddies using virus writing kits and punks putting graffiti on stop signs is at about the same level.

    What do you think of the notion that there are at least several really successful viruses that we never hear about, because they are more useful to the writer if they are not obviously annoying?

    Are all these zombie machines we hear about for rent to spammers infected with viruses that would be caught be common virus scanners, or are they truely different?

    • no, silly rabbit. there's no such magical uber viruses.

      *Are all these zombie machines we hear about for rent to spammers infected with viruses that would be caught be common virus scanners, or are they truely different?*

      no. sure there could be custom rootkits and whatnot(but i have a hard time someone would be selling zombies fitted with custom really well done rootkits)... but a virus can't be "really successful" without doing any traffic or altering any bytes(it can't exist if doesn't do these things),
    • "What do you think of the notion that there are at least several really successful viruses that we never hear about, because they are more useful to the writer if they are not obviously annoying?"

      I think it's not very likely. It isn't the payload that necessarily gets viruses noticed. If a virus (well, technically a worm in this case) tries to exploit buffer overruns in remote services (as was done by worms like Code Red and Blaster), it's going to get caught by the log entries from failed intrusions.

    • I think that's because the people who do have the brains to decently code a virus (so not without a DIY-virus-in-3-steps kit) also have to brains to understand what will happen when it's released in the wild. And they do know that's not good for anyone.
  • I'm waiting (Score:5, Funny)

    by hchaos ( 683337 ) on Monday November 01, 2004 @01:07PM (#10687251)
    I'm waiting for the study on who wrote the technical study on who wrote the infamous Sobig worm.
  • by Shambhu ( 198415 ) on Monday November 01, 2004 @01:07PM (#10687258)
    Leaving aside the validity of their arguments for the time being (though I found them persuasive), I was wondering why exactly they felt the need to release this now. I think there are a few clues in the document:

    "Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program. Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author."

    And they add in a footnote to that sentence:

    "Ironically, our investigation into the identification of the likely Sobig author(s) and corresponding findings had already been concluded and passed on to law enforcement over two months prior to the Microsoft bounty offer. The bounty was not our incentive."

    So they say they had submitted their research prior to Nov. 5, '03. Why go public now? Though they don't say it, I can't help but think that it was frustration. Their own explanations for why they are going public seem thin to me.

    • Law enforcement had access to this report 14 months ago and yet Ruslan has still not been charged or arrested. At this point, it seems unlikely that he ever will be. If their is frustration on their part, it lays within this fact. Still, from the looks of it, they were sponsored to write this report and thus were paid. As they state, the "bounty was not our incentive." But nobody writes such a report or does this type of work for free. The only purposes releasing this report to the public serves now i
  • fairly convincing (Score:3, Interesting)

    by mixmasterjake ( 745969 ) on Monday November 01, 2004 @01:38PM (#10687803)
    The argument concering that he "had the skills necessary" to create the virus aren't really that convincing to me.

    The comparible code-base (unusual string concatanations that appear in both the virus and his commercial software) I suppose I *could* also overlook that because I know that a lot of developers copy code snippets from support pages and such. Especially for such generic functions as sending email.

    But, then throw in the fact that send-safe and the sobog virus have very consistent release schedules. That is a little suspicious.

    Not only that, but, if you remember when SoBig first came out - it was quite a long time after before people started to realize that it was creating spam proxies. send-safe was using those proxies even before the massive outbreak. Now that is kinda weird.

    So, when you add up all of those things, It seems convincing to me. Is it enough to raid his office computers?
  • Is stringing this guy up by his testicles and leaving him to dangle too good a punishment?
  • Of [] available here [], for those that don't know Coral [] yet.
  • So it was written to send spam. A nice thing that could be done is to charge all the money lost by that virus to all the companies that sent spam directly or indirectly thru that program.

    Also could be count as a "hard fact" for companies/governments/etc that people that send spam are in part responsible for the virus they receive and the damages they make, and start to take actions.

    Well, doubt that spammers could be liable for SoBig damages, but is a nice dream.

  • by Tablizer ( 95088 ) on Monday November 01, 2004 @02:16PM (#10688483) Journal
    I have only one question for virus writers:

    Has anyone ever gotten laid for writing a virus?
  • 1. According to the authors this study was completed prior to Nov. 5 2003. If the overriding concern is to "...increase tips to law enforcement..." then why did it take so long to publish this?

    2. Spelling and grammar in the document leave a lot to be desired. Computer forensics aside, I submit that English isn't the primary language of the authors or they just don't care that their paper is riddled with mistakes that make them sound ignorant.

"It takes all sorts of in & out-door schooling to get adapted to my kind of fooling" - R. Frost