Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private> Given that Sobig.F seems to have subsided from its weekend peak (from my numbers, it was doubling every day last week up until Sunday and then suddenly dropped off--to a rate that is still roughly as high as Klez at its worst) and that "Stage 2" seems to have been averted, a few thoughts. Blaster, a worm, infected relatively few machines but inconvenienced (and in some cases worse) companies, so it gets it's name in the paper. Sobig surpasses all records in terms of number of email messages generated, and almost nobody (outside of our little security circle) is paying attention. Spoofing of email headers in virus messages goes back to Hybris or before. Most of the successful email viruses have used some form of spoofing. Yet antivirus companies, in their mail server based products, are continuing to generate bounce messages to the nominal sender, probably in an attempt to market their products. I got a lot of bounced Sobig over the past week. None, of course, had been sent from me. What these bounces are actually doing is aiding the virus: the bounce messages send the virus (a full copy of the original message is often included) to yet another machine. Spammers have also been using spoofed email addresses for some time. Bounced spam is therefore also helping spammers to spread their messages. Two spam for the price of one, thanks to bounces. (Occasionally I hear of a server being inundated by a faked sender address on spam, but this seems to be rare. Which would seem to indicate that spammers are deliberately using random addresses, possibly for reasons of multiplication through bounces.) One of the interesting points to come out the height of the Sobig numbers on Saturday, was that I saw relatively *few* bounces, in proportion to what one might have thought was the case. My address is obviously on enough infected machines for me to get huge numbers of infected messages: due to the way the virus spoofs addresses, a large number of the Sobig messages would have been sent "from" me. Given that the majority of server based antiviral packages do bounce messages, the penetration of server based virus scanning would therefore seem to be quite low. (Interesting, the indirect things you can learn in the aftermath of an attack. Consider the subject line of this message a test of content scanners still doing simplistic subject line rejections.) I have been warning about the type of convergence of malware technologies involved in the "stage 2" situation for a few years now. Will it be taken seriously after Sobig? (Listen to the sound of me *not* holding my breath.) Sobig seems to have been planned and designed with much greater care than is usually the case with viruses and malware. Up until now, we have been spared what viruses *could* do primarily by the fact that we have been facing a bunch of disorganized amateurs. A number of comments about Sobig have raised the possibility of an involvement with spammers and/or organized crime. (We already know that "red guest" groups in China are much more organized and disciplined than traditional blackhats.) Sobig may simply be the result of an isolated creative mind, but relying on that supposition as fact is dangerous security planning. Buried in the investigations into Sobig.F, you will find reference to the fact that it stops reproducing after September 10th. I'm afraid it took my wife pointing it out to make me realize that this is one day before September 11th. Sobig.G, anyone? ====================== (quote inserted randomly by Pegasus Mailer) rsladeat_private sladeat_private rsladeat_private You know the type. They like to blame it all on the Jews or the Blacks, 'cause if they couldn't, they'd have to wake up to the fact that life's one big, scary, glorious, complex and ultimately unfathomable crapshoot -- and the only reason THEY can't seem to keep up is they're a bunch of misfits and losers - An analysis of Neo-Nazis, from `The Badger' comic http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 09:55:50 PDT