Blocking Sofig IP's

Discussion in 'LnS English Forum' started by tosbsas, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Here a post in the worm forum:

    Time for net admins to do a little blocking
    08-22-2003 1:45:54 PM CST -- from the folks at Sophos


    Sophos experts have advised network and system administrators that they can take immediate action to prevent the W32/Sobig-F worm from downloading a potentially malicious update from the internet. The worm contains a list of encrypted IP addresses inside its code, which the Sobig-F infected computers use to signal their availabilty for an update. Infected computers will communicate with the IP addresses on UDP port 8998. They will also be listening on UDP ports 995-999 - perhaps in readiness for the updates to arrive. Sophos analysts have decrypted the list of IP addresses and have reproduced it below:

    12.158.102.205
    12.232.104.221
    24.33.66.38
    24.197.143.132
    24.202.91.43
    24.206.75.137
    24.210.182.156
    61.38.187.59
    63.250.82.87
    65.92.80.218
    65.92.186.145
    65.95.193.138
    65.93.81.59
    65.177.240.194
    66.131.207.81
    67.9.241.67
    67.73.21.6
    68.38.159.161
    68.50.208.96
    218.147.164.29

    Sophos has attempted to contact the owners of the IP addresses, and some of the administrators have already taken action to block infected computers from communicating with them. Sophos advises companies, major ISPs and internet backbone providers to consider blocking all access to the above list of IP addresses, as this will protect infected users on their network from receiving updates to W32/Sobig-F. Another approach would be for network and system administrators to consider blocking NTP requests (except to trusted servers) so their infected computers do not know it is time to try and find the malicious update. Administrators should also consider eliminating or restricting outbound use of UDP port 8998.

    This is probably the best thing released so far about SoBig Now some Network Admins can start taking action to put a choke on this puppy...!

    http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanBB%2edb&command=viewone&id=75&op=t
     
  2. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
    thx for this inforamtion Tobsas , did you have a lns fresh rules to stop that ?? ;)


    Thx... :D
     
  3. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    The existing rule in your enhanced ruleset: block any other udp packets will take care of this as the only udp packets authorized are those you specifically authorized prior to that rule.
    However, if you use programs such as netmeeting, then you better specifically block that port 8998 as Netmeeting already authorizes UDP ports 1024 to 65535 while active ( reason why i also don't like using p2p programs )
     
  4. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Phantom - you see that??

    Any change to the allow udp rule necessary??

    Ruben
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey tosbsas

    By Default “UDP : Allow” is deactivated, and asking the question whether it’s necessary tells me you know very little about that rule and that tells me you shouldn’t activated it until you do… ;)
     
  6. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
    Thx guy ... ;)
     
  7. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Hey my friend - I am growing into it :)--)) Not as fast as I like but surely I will rise to the goal :)--))

    No seriously I don't know why but I had that one activated (even when we did our tests) so you say deactivate it o_O

    Ruben
     
Thread Status:
Not open for further replies.