| |
New Phase of Sobig.F Set for 3 p.m. EST Friday 8/22/2003
by Elonka at 3:16 pm EDT, Aug 22, 2003 |
More info about the fastest-spreading worm of all time, which enters a new phase today, trying to download unknown code to 20 specific home computers: ] The worm infected close to one million computers via
] e-mail attachments in e-mails with spoofed addresses
. . .
] Now, those infected
] computers are programmed to start to connect to machines
] found on an encrypted list hidden in the virus body.
] F-Secure said the list contains the address of 20
] computers located in United States, Canada and South
] Korea and is expected to start at 3:00 EST Friday. |
| |
RE: New Phase of Sobig.F Set for 3 p.m. EST Friday 8/22/2003
by Decius at 3:11 am EDT, Aug 24, 2003 |
Elonka wrote:
] More info about the fastest-spreading worm of all time, which
] enters a new phase today, trying to download unknown code to
] 20 specific home computers: Turns out they may have failed here. From a post on Interesting People: "All the experts were totally faked out. While everyone was concentrating
on getting the "magic 20" machines shut down, no one realized that
different copies of Sobig.f had different lists of servers to contact. We put a block of udp port 8998 on our firewall this morning. We had 3
previously undetected infected machines on our network, each of which
tried to contact a different list of 20 machines. One of the lists
corresponds to the one that Sophos and others have published. The other
two lists have no addresses in common with the published list, or with
each other. I wonder how many different sets of servers there were, how many
different variants of Sobig.f there were, and how many infected machines
now have some additional trojan, worm, or ddos code waiting for a
command to do something." |
|
| |
RE: New Phase of Sobig.F Set for 3 p.m. EST Friday 8/22/2003
by Elonka at 12:24 am EDT, Aug 25, 2003 |
Elonka wrote:
] More info about the fastest-spreading worm of all time, which
] enters a new phase today, trying to download unknown code to
] 20 specific home computers: Turns out they may have failed here. From a post on Interesting People: "All the experts were totally faked out. While everyone was concentrating
on getting the "magic 20" machines shut down, no one realized that
different copies of Sobig.f had different lists of servers to contact. We put a block of udp port 8998 on our firewall this morning. We had 3
previously undetected infected machines on our network, each of which
tried to contact a different list of 20 machines. One of the lists
corresponds to the one that Sophos and others have published. The other
two lists have no addresses in common with the published list, or with
each other. I wonder how many different sets of servers there were, how many
different variants of Sobig.f there were, and how many infected machines
now have some additional trojan, worm, or ddos code waiting for a
command to do something." |
|
| |
RE: New Phase of Sobig.F Set for 3 p.m. EST Friday 8/22/2003
by wilpig at 7:54 pm EDT, Aug 26, 2003 |
Elonka wrote:
] More info about the fastest-spreading worm of all time, which
] enters a new phase today, trying to download unknown code to
] 20 specific home computers: Turns out they may have failed here. From a post on Interesting People: "All the experts were totally faked out. While everyone was concentrating
on getting the "magic 20" machines shut down, no one realized that
different copies of Sobig.f had different lists of servers to contact. We put a block of udp port 8998 on our firewall this morning. We had 3
previously undetected infected machines on our network, each of which
tried to contact a different list of 20 machines. One of the lists
corresponds to the one that Sophos and others have published. The other
two lists have no addresses in common with the published list, or with
each other. I wonder how many different sets of servers there were, how many
different variants of Sobig.f there were, and how many infected machines
now have some additional trojan, worm, or ddos code waiting for a
command to do something." |
|
New Phase of Sobig.F Set for 3 p.m. EST Friday 8/22/2003
by Decius at 4:38 pm EDT, Aug 22, 2003 |
] More info about the fastest-spreading worm of all time, which
] enters a new phase today, trying to download unknown code to 20
] specific home computers: ] The worm infected close to one million computers via
] e-mail attachments in e-mails with spoofed addresses
. . .
] Now, those infected
] computers are programmed to start to connect to machines
] found on an encrypted list hidden in the virus body.
] F-Secure said the list contains the address of 20
] computers located in United States, Canada and South
] Korea and is expected to start at 3:00 EST Friday. I can't beleive they are unable to locate and turn off the servers! There are only 20. Also, if the "web address" in question is under the control of the attackers, then it was paid for by the attackers, and this is a very easy place to start a criminal investigation (possibly the web address was bought using a fake or stolen identity). However, claiming that this "must be the work of organized crime" is silly. Technical sophistication and criminal sophistication are not always directly proportional. |
There is a redundant post from wilpig not displayed in this view.
|
|
