W32/Sobig-F ALERT

Discussion in 'malware problems & news' started by Paul Wilders, Aug 22, 2003.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Sophos researchers have published information on a second wave attack which the Sobig-F worm may attempt to make in the coming hours.

    On infected PCs, Sobig-F will attempt to download code from the internet and then run it on the computer. This occurs on Fridays and Sundays at 19:00-22:00 GMT. This equatesto the following times in different parts of the world:

    Los Angeles 12 noon - 3:00pm
    Boston 3:00pm - 6:00pm
    London 8:00pm - 11:00pm
    Berlin 9:00pm - 12:00 midnight
    Hong Kong 3:00am - 6:00am (Saturday and Monday)
    Tokyo 4:00am - 7:00am (Saturday and Monday)
    Sydney 5:00am - 8:00am (Saturday and Monday)​

    (Note that because of time differences, the attempt
    to download code will happen on Saturdays and Mondays
    in the Far East and Australasia).

    The worm has been programmed to automatically direct infected PCs to a server controlled by the virus writer from which a malicious program could be downloaded. At the moment, it is not known what the download material will do, but possibilities include launching another virus or spam attack, collecting sensitive information, or deleting files stored on an infected computer or network.

    source: Sophos

    A potentially massive Internet attack starts today
    Sobig.F downloads and executes a mysterious program on Friday at 19:00 UTC

    F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today.

    Windows e-mail worm Sobig.F, which is currently the most widespread worm in the world, has created massive e-mail outages globally since it was found on
    Tuesday the 18th of August - four days ago. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. Total amount of infected e-mails seen in the Internet since this attack started is
    close to 100 million.

    However, the Sobig.F worm has a surprise attack in its sleeve. All the infected computers are entering a second phase today, on Friday the 22nd of August, 2003. These computers are using atom clocks to synchronize the
    activation to start exactly at the same time around the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).

    On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea.

    "These 20 machines seem to be typical home PCs, connected to the Internet with always-on DSL connections", says Mikko Hypponen, Director of Anti-Virus
    Research at F-Secure. "Most likely the party behind Sobig.F has broken into these computers and they are now being misused to be part of this attack".

    The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines
    download a program from this address - and run it. At this moment it is completely unknown what this mystery program will do.

    F-Secure has been able to break into this system and crack the encryption, but currently the web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyse it and come up with countermeasures", says Hypponen. "So apparently
    their plan is to change the web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it".

    Right now, nobody knows what this program does. It could do damage, like deleting files or unleash network attacks. Earlier versions of Sobig have executed similar but simpler routines. With Sobig.E, the worm downloaded a program which removed the virus itself (to hide its tracks), and then started to steal users network and web passwords. After this the worm installed a hidden email proxy, which has been used by various spammers to send their bulk commercial emails through these machines without the owners of the computers knowing anything about it. Sobig.F might do something similar - but we won't know until 19:00 UTC today.

    "As soon as we were able to crack the encryption used by the worm to hide the list of the 20 machines, we've been trying to close them down", explains Mikko Hypponen. F-Secure has been working with officials, authorities and various CERT organizations to disconnect these machines from the Internet.
    "Unfortunately, the writers of this virus have been waiting for this move too." These 20 machines are chosen from the networks of different operators,
    making it quite likely that there won't be enough time to take them all down by 19:00 UTC. Even if just one stays up, it will be enough for the worm.

    The advanced techniques used by the worm make it quite obvious it's not written by a typical teenage virus writer. The fact that previous Sobig variants we're used by spammers on a large scale adds an element of financial gain. Who's behind all this? "Looks like organized crime to me", comments Mikko Hypponen.

    source: F-Secure
  2. root

    root Registered Member

    Feb 19, 2002
    Missouri, USA
    Obviously the person that is responsible for this is pretty sharp. Too bad he/shes on the wrong side of the fence. The last couple of days have been pretty impressive.

    How you doing Paul? :)
  3. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    True indeed, Ghery. As it seems, 19 out of the 20 systems have been pulled down in time in order to avoid possible disaster. Massive attack has failed as it looks like.

    Fairly well - I'll drop you an email soon! ;)


Thread Status:
Not open for further replies.