On 21 Aug 2003 at 10:19, Rich Puhek wrote: > I've been seeing a handful of emails that look a lot like Sobig.F > (same or similar subjects, same body), but do not contain the > attachment. I am seeing quite a few of these from listservers and MTAs which strip attachments. Unless you control your MTA and know otherwise, I would assume that your ISP or some other upstream MTA is simply stripping it through a virus-scan or no-attachment- policy. > > Does anyone know what's going on? I'm thinking that either: > > 1) Someone is using similar messages to probe email accounts It was reported on another list a couple of days ago that sobig appears to be doing probing, but it does not result in any sent EMail. The speculation was that when it picks the sender-address to fake, it first does a probe to ensure that it is a valid address. Here is an excerpt from my logs showing my first probe (innocent faked- addresses removed) from an infected host at 12.225.5.238 which subsequently began flooding me with sobig: T 20030822 182147 3f46238c Connection from 12.225.5.238 T 20030822 182147 3f46238b EHLO listserv.ua.edu T 20030822 182147 3f46238c EHLO MINGS-XT3ZPVDN7 T 20030822 182147 3f46238b MAIL FROM:<[REMOVED]@BAMA.UA.EDU> T 20030822 182147 3f46238c MAIL FROM: <[REMOVED]@psu.edu> T 20030822 182154 3f46238c RCPT TO: <peteat_private> T 20030822 182156 3f46238c Connection closed with 12.225.5.238, 9 sec. elapsed. Note the lack of a DATA command. So, it appears to be a probe There were several of these with different MAIL FROM commands each time, and some with just a EHLO. The theory about why it is probing would seem to be wrong, though, because I received my first automated-virus-bounce-from-clueless-mail-admin which falsely blamed me for sending a virus prior to the first "probe": T 20030822 161551 3f46237b Connection from 128.227.242.249 T 20030822 161551 3f46237b EHLO srvexch01-gnv.ifas.ufl.edu T 20030822 161551 3f46237b MAIL FROM:<> T 20030822 161616 3f46237b RCPT TO:<peteat_private> T 20030822 161616 3f46237b DATA - 80 lines, 2677 bytes. T 20030822 161616 3f46237b QUIT > > 2) A new version of Sobig is out (perhaps probing accounts first, then > sending the payload later?) I considered this, but before I ever received a payload I received several probes with the same RCPT TO and only the MAIL FROM changed. One would expect then, that the reason for the probing was to determine if we would accept mail from those addresses, since the destination address had already been confirmed. Not that a virus-writer can't be foolish, but that doesn't seem like a profitable use of bandwidth to me; most sites are going to accept mail from anyone. And in any event, none of the subsequent virus EMails I actually received used those source-addresses. > > 3) Something is broken with Sobig.F, causing it to fail to attach from > time to time. I suspect it is broken and there is no intentional probing, but I see no point in speculating about the reasons for it, since I don't have (nor want) an infected box to observe. What seems clear from my own logs and reports of others, though, is that prior to an infected host targeting your MTA, it will make several of these aborted connections. If your server is truly being hammered by this virus, it may be worthwhile to monitor for these "probes" and when you see them, create a temporary connection refusal within your MTA or firewall for that IP until this virus dies down. That should help take some of the load off your servers. > > I have several copies available if anyone is interested. I haven't > dissected the headers, etc. to look for similarities or differences > with Sobig.F messages. > > --Rich > > _________________________________________________________ > > Rich Puhek > ETN Systems Inc. > 2125 1st Ave East > Hibbing MN 55746 > > tel: 218.262.1130 > email: rpuhekat_private > _________________________________________________________ > > > ---------------------------------------------------------------------- > ----- Attend Black Hat Briefings & Training Federal, September 29-30 > (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's > premier technical IT security event. Modeled after the famous Black > Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers > and sponsors. Symantec is the Diamond sponsor. Early-bird > registration ends September 6.Visit us: www.blackhat.com > ---------------------------------------------------------------------- > ------ > -- Pete Phillips -- San Antonio, Texas -- peteat_private --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:09:29 PDT