Sophos 20 IP's to block to prevent SoBig from updating

Time for net admins to do a little blocking
08-22-2003 1:45:54 PM CST -- from the folks at Sophos


Sophos experts have advised network and system administrators that they can take immediate action to prevent the W32/Sobig-F worm from downloading a potentially malicious update from the internet. The worm contains a list of encrypted IP addresses inside its code, which the Sobig-F infected computers use to signal their availabilty for an update. Infected computers will communicate with the IP addresses on UDP port 8998. They will also be listening on UDP ports 995-999 - perhaps in readiness for the updates to arrive. Sophos analysts have decrypted the list of IP addresses and have reproduced it below:

12.158.102.205
12.232.104.221
24.33.66.38
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
61.38.187.59
63.250.82.87
65.92.80.218
65.92.186.145
65.95.193.138
65.93.81.59
65.177.240.194
66.131.207.81
67.9.241.67
67.73.21.6
68.38.159.161
68.50.208.96
218.147.164.29

Sophos has attempted to contact the owners of the IP addresses, and some of the administrators have already taken action to block infected computers from communicating with them. Sophos advises companies, major ISPs and internet backbone providers to consider blocking all access to the above list of IP addresses, as this will protect infected users on their network from receiving updates to W32/Sobig-F. Another approach would be for network and system administrators to consider blocking NTP requests (except to trusted servers) so their infected computers do not know it is time to try and find the malicious update. Administrators should also consider eliminating or restricting outbound use of UDP port 8998.

This is probably the best thing released so far about SoBig Now some Network Admins can start taking action to put a choke on this puppy...!

http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanBB%2edb&command=viewone&id=75&op=t

 

Press Release from F-Secure

PRESS RELEASE

For release August 23, 2003

Close Call - the Sobig.F activation was prevented
F-Secure helped to shut down servers needed by the attack

The expected Internet activation of the Sobig.F worm has been prevented. The activation was programmed to take place on Friday the 22nd of August at 19:00 UTC. The activation was prevented through a 24-hour race against the clock by various organizations around the world. Everything started from the detailed analysis of the worm by the F-Secure research team, which found and decrypted the list of 20 Encrypted compromised server IP addresses from within the worm. Armed with the list of 20 IP addresses F-Secure, various internet service providers, CERT organizations from around the world, FBI and Microsoft were able to locate and disconnect or shut down most of the master servers necessary for the activation to be successful.

Six hours before the deadline, 11 of them were disconnected from the Internet. Just before the activation, 18 of them were disconnected. One of the remaining servers was unreachable, perhaps turned off. One was still operating when the attack started, but it immediately became unreachable as tens of thousands of infected machines from around the world started sending traffic to it.

F-Secure has been attempting to connect to all the 20 machines from three different sensors in three different countries to confirm that they are down. So far, we've been unable to connect even once. If we can't connect, neither can the infected machines - and the activation won't succeed.

Sobig.F, which is currently the most widespread worm in the world, contains an encrypted list of 20 servers located in USA, Canada and South Korea. The worm tried to connect to these servers to download the address of another server from which the worm would have downloaded an unknown application. The application would have then been immediately executed on all the infected computers.

More information about the Sobig.F worm and the attempted attack is available at http://www.F-Secure.com