http://www.eweek.com/article2/0,3959,1231802,00.asp By Dennis Fisher August 26, 2003 It turns out that SoBig.F is even less original than previously thought. The self-updating capability that had anti-virus experts, users and even the FBI scrambling this weekend was in fact present in some of the earlier versions of the virus, albeit in a somewhat less advanced form. "That capability was in previous versions. I think what set off the red flag this time is the prevalence of this version and the potential for what could happen," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., in Islandia, N.Y. A couple of anti-virus vendors on Friday announced that they had discovered a new feature of SoBig.F that instructed infected machines to connect to one of 20 IP addresses that were hidden in the virus's code. The PCs were then supposed to download and execute an unknown file. Security experts feared that the file could be a Trojan or some tool for launching a broader attack. However, authorities were able to locate and shut down the vast majority of the 20 machines, and the expected onslaught of activity never materialized. The self-updating capability was first seen in SoBig.C, but until this latest version, none of the viruses had the list of IP addresses for infected machines to contact. Although they were able to deflect the mystery attack, anti-virus experts nonetheless are still worried about the long-term implications of SoBig.F. The virus spread more quickly than any other piece of malware in history and has infected countless machines. It is the sixth version of the SoBig virus to appear, and each iteration of the virus also contains an expiration date, after which the virus is programmed to stop trying to spread. These facts have led some experts to speculate that the SoBig viruses are being written, released and subsequently improved upon by professionals who have some larger goal in mind than simply flooding inboxes with useless e-mail. The fact that some portion of the self-updating feature was in previous versions of the virus would appear to bolster the argument for this trial-and-error scenario. But some in the anti-virus community don't buy it. "We haven't seen any evidence of this being used as a mechanism for sending commercial spam," said Chris Wraight, technology consultant at Sophos Inc., an enterprise anti-virus company based in Lynnfield, Mass. "It's definitely weird that a new one is released so often. It's almost like beta testing." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 29 2003 - 04:39:17 PDT