"Compton, Rich" <RComptonat_private> wrote: > As many of you know, the latest Sobig.F virus was scheduled to begin > downloading unknown code from various IPs at 3:00 EST today on UDP port > 8998. ... Not quite. The target machines supply a URL (that is encoded with Sobig's string encoding routine) which Sobig then retrieves and executes. Thus the "real code" comes from an unknown number of unknown machines. > ... Does anybody have any idea what this code is? ... It seems likely that it will be another remote access Trojan and/or a network proxy application. Either or both are what previous variants of Sobig have downloaded through their "update" mechanisms. Although the URL suggests it is Sobig.E-specific, the following analysis of the evolution of the Sobig family up to the Sobig.E variant is well worth reading: http://www.lurhq.com/sobig-e.html It is also very relevant to Sobig.F as very little of the actual functionality of Sobig.E has been changed in the making of Sobig.F -- the only really notable change is the addition of the multi-threaded self-mailing (more on this below). > ... Are the infected boxes > actually downloading code? ... They would, but not from the initial "contact list" machines. As described above, Sobig.F-infected machines download the "real code" from locations pointed to by the "contact list" machines. If you mean "are they now" the answer is no -- it seems all the "contact list" machines were disconnected from the Internet about an hour before "come and get it" time. One hopes this was done cluefully after certain important forensic evidence had been appropriately gathered, or at least was known to then be present on the machines and the machines were suitably secured for forensic analysis. > ... Does anybody have an infected Windoze box with > Sobig that can see what code was downloaded? As I said, I believe that all the machines were disabled before the appointed time so I doubt anyone (apart from Sobig's writer) knows what was in store for its victims. > Here's a link to some info at Sophos in case you are unfamiliar with this. > > http://www.sophos.com/virusinfo/articles/sobigextra.html Yes, the media-whoring of certain parties begat several such pages... > Looking at the infection rates of this virus, I'd say that it's pretty > important that we find out what this code is and what it does ASAP! Actually, I think it is disputable that Sobig.F has a high infection rate. It certainly has generated a tsunami of viral Email messages that, coupled with all the back-wash that goes with such events (tons of bogus "you're infected" warnings from stupid Email gateway scanning systems to innocent, uninfected users, etc) has certainly caused a huge surge in Email traffic disrupting many Email-based services, other computer product suppliers and their helpdesk staff in particular. However, all that does not necessarily correlate with a huge infection rate or level. Because of its multi-threaded nature, Sobig.F's self- mailing routine is much more capable of saturating the bandwidth available to its victim machines. Combined with the ever-increasing adoption of broadband connections among Sobig's target demographic (SOHO users with very limited or no effective IT skills), this one change to Sobig's mailing routines may be quite capable of producing a much denser Email flood from a (possibly considerably) smaller contamination base. Another interesting factoid that may also support the notion that Sobig.F has not infected (or at least, has not remained long enough after infecting to be of concern on) many machines is this: http://isc.sans.org/port_details.html?port=8998 There has been no huge spike in port 8998 traffic. This may, of course, be due to reporting lag and I'll certainly be looking closely at this over the next few hours... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 19:51:30 PDT