SoBig: Worst is Yet to Come

bl8n8r writes "Experts say when vacationers get back to work Monday, Inboxes will unleash the worms worst attacks. Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems. "

Procmail finally

[unfortunateson]

Our computers aren't getting infected: between virus scan, ZoneAlarm, ancient e-mail client and knowing not to open the stupid attachments, we've not gotten infected.

But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.

It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.

This was listed in a previous thread, but it's worth repeating:
In a .procmailrc file, put :0 B
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)" /dev/null

This deletes any message with a pif, exe or scr attachment.

I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.

Sorry - shoulda previewed

[unfortunateson]

The line wrapping on the recipe got mangled:

:0 B
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
/dev/null

Re:Worst I've seen by FAR

[worm eater]

plus maybe 30 automated msgs saying _I'd_ sent out such nastiness/bloat.

Yeah, I've seen this too. And I *know* I'm not infected. I'm trying to figure out if the worm is making emails it sends look like bounced messages, or if it is spoofing my email address. Actually, I'd like to see some better research (or reporting) done on this. Initial reports [com.com] I read made it sound like it would only spoof 'well-known' domain names such as ibm.com or microsoft.com. I have seen it coming from friends of mine (who may or may not have been infected), as well as places like halliburton.com. I've seen the 'Wicked Screensaver' variation more than anything else.

Re:Ouch!

[Wyzard]

I'm a student consultant at my school [lehigh.edu] who helps other students with computer problems, and believe me, the network people in charge here are fully aware of this fact. For what we call "mass-install week", which means setting up all the new students, we're being told to enable the XP firewall, check for and remove Blaster, install patches from windowsupdate and explain to the student the importance of patching, and install the school's site-licensed copy of Norton.

Hopefully these sort of measures, here and at other schools, will mitigate the damage.

Re:huh

[Jhon]

Aren't you lucky. Here's what our email server cought since Monday:

237 W32/Yaha-E
235 W32/Klez-H
009 W32/Sircam-A
004 W32/Bugbear-B
003 Dial/PecDial-B
002 W32/Yaha-K
002 Troj/Peido-B
001 W32/Sobig-F
001 W32/Klez-E
001 W32/Bugbear-Dam

Only one Sobig so far... But Klez and Yaha numbers have been high for months. Too many of our users have front-facing email addresses (posted on our corporate website).

coming spike in old-fashioned spam

[jdunlevy]

Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam [washingtonpost.com] -- with the corresponding spike in spam volume that would bring.

According to this article [washingtonpost.com]:

After examining two month's worth of junk e-mail earlier this year, New York City-based e-mail security company MessageLabs found that roughly 65 percent of spam originated from computers running proxy servers. More than 75 percent of those servers appeared to be installed on PCs that showed signs of being infected with Sobig and similar viruses.

And Symantec [symantec.com]:

Sobig.F can download arbitrary files to an infected computer and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

SoBIG infection

[Anonymous Coward]

This is the first time our W2K servers got smashed. Seems our employees weren't smart enough (or trained enough) to know NOT to click on strange unexpected emails. Now we're contemplating blocking ALL internet access to our thin clients to prevent this. Our Linux box and filtering hasn't let a single whippersnapper in yaaay!
Shame on Symantec for not releasing a critical definition that all clients would auto download the night of discovery.

Re:RPC Patch

[aldousd666]

If you're a company and it's going to cost you the money to clean worms, get a mail scanner. We haven't been infected with a single email worm for as long as I've been here at the company. (2 years) and we have 1400 users. I think a kink in the budget for scanmail once was a kickass investment in that we have been immune to every single worm (we actually patched everyone in time for the d-com worm as well, so we didn't get that one) If you're going to use windows, get a mail scanner, and deploy your patches via Group Policy before you hear about the exploits. And no, we don't have windows automatic updates enabled either, that's definately not the answer to anyone's problems, at least not in the corporate world. It may be good for people at home, unless they have dialup, then they're f'd, and shouldn't be trusting their computers to microsoft software. May I suggest a preventative approach: NTBUGTRAQ.com has a nice mailing list that seems to keep at least a few days ahead of the exploits. Russ Cooper has saved us more than once.

Re:Spammers and viruses

[Steve B]

One has to wonder what impact spammers have on viral activity.

You don't need to wonder -- just read the news [reuters.com]:

SAN FRANCISCO (Reuters) - Several Internet worms that have besieged computers for over a week played havoc again on Wednesday, including one called Sobig.F whose aim was to turn PCs into spam machines and was believed to be the fastest growing virus ever, experts said.

Sobig.F drops software onto infected Windows computers that open them to be used later for distributing Internet spam -- unwanted e-mails and product promotions, experts said. It also represents a new trend in converging e-mail spamming and virus software writing, they said.

It's long overdue for law enforcement to prosecute spammers for cracking (evasion of antispam filters, relay-raping, disseminating viruses to create zombie spamboxes, etc). Many of the people that do get prosecuted for cracking do less damage and target fewer victims (by several orders of magnitude) than the typical spammer.

amavis-new does just that!

[Anonymous Coward]

If a virus is from known spoofing virus then the autoreply to the sender is NOT sent. Now if everyone had a decent virus scanner at their server...

Re:Sorry - shoulda previewed

[Chainsaw Messiah]

make that

(vbs|vsf|vbe|wsh|hta|scr|pif|com|exe|shs|bat|bas |s cr|wav|eml|dll)

and you should be set

Re:Cost Benefit Analysis

[Verteiron]

In the USA, salaried employees are still entitled to overtime pay. Even if it said they were not in their contract. Federal wage law overrules corporate contracts.

Only "exempt" employees can work overtime without being paid for it, and there are minimum salary requirements for most professions to have "exempt" status.

For technical work it's along the lines of $27/hour.

Re:Another brick in the wall

[Distinguished Hero]

I believe the actual quote is: [google.com]

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."

SoBig Clean up

[pandrel]

I've already had to help a few people remove SoBig from thier systems and found that SARC has a removal tool that cleans up SoBig quickly and effortlessly by: 1. Terminating the W32.Sobig.F@mm viral processes. 2. Deleting the W32.Sobig.F@mm files. 3. Deleting the dropped files. 4. Deleting the registry values that the worm added. For those who need it it can be found at http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.removal.tool.html

Re:Ouch!

[owlstead]

One that uses mailinglists? I was subscribed to several interesting ones that I had to turn off due to the enourmous feed. Not that my system could not handle it, but I could not.

If you are unlucky some of your employees like chain letters and 'funny' mails, or mails with nude females (could we call those just femails?).

And then you have helpdesks and stuff, or really tech savy people. 't is not that difficult getting 3 mails per minute.

Warper

Anti-virus Programmers Crack IP Encryption

[Jugalator]

According to a swedish newspaper (I'm sure others run the story as well by now), anti-virus programmers have now finally cracked the 20 IP addresses SoBig will get its updates from this weekend. It's now a race against time to shut those IP addresses down. The IP addresses are located in USA and Canada.

The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.

The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.

Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.

Re:Vacation?

[pigscanfly.ca]

Yes they did . In ontario all non essential employees were told not to work (a number still did anyways ; go figure .) but non the less that is a huge number of employees . They are to be going back tommorow or monday to there regular works . And the federal goverment has huge pipes. I can only hope CIS has everyt thing locked down in advanced (not bloddy likely given there past performance . )

Re:Cost Benefit Analysis

[dildofire]

i'm not sure what exactly for, but france and italy (and probably other european countries) basically shut down for the second part of august and a ton of people go on vacation. that's my only guess as to what it could mean.

Re:$500 - $1000

[Anonymous Coward]

How many emails have been vectored through Netscape or Eudora? None.

That's simply not true -- this trojan is a simple double-click-to-run and can vector in through anything that allow files to be copied.

In fact, the newer versions of MS mailers blocks these "dangerous" attachments are significantly less risky than other clients.

Re:Some companies deserve it

[Anonymous Coward]

Actually, that's the proper reaction. The users are pissed at the IT Department, when in fact there is none. Only a bunch of sub-sub-sub-contractors who haven't found where the restroom is yet. The only way that gets fixed is pressure from outside.

Save your inbox with procmail

[bigberk]

This is where procmail comes to the rescue! Add this rule:

# Ignore W32/Sobig.f@MM
:0 B
* ^vZgwXohhqrN4MDHpZfjXC6Aye4uyh5TU7soFb85wpJILzujHN
/dev/null

This matches the worm on a base64 encoded line from its body. This is on the current variant I got flooded with; redirect the suckers to /dev/null. And if you get a NEW strain, just take an encoded body sample from it and make a new rule!

Re:Cost Benefit Analysis

[plover]

And today I found two of sixty machines using "autoupdate" that suffered from corrupted cryptographic services such that they were unable to install the Microsoft patches. They silently failed to protect those machines. (Oh, sure, the users could have gone into event viewer and seen the failures. That's certainly what my coworkers do after every autoupdate.) The corruption appeared to have caused the antivirus auto-updates to fail as well.

I also had another guy whose NT 4.0 box was rendered completely unbootable by the official patch. His only recourse was to upgrade the box to XP (the upgrade process managed to recover his old settings.)

So don't tell me the "wonders" of autoupdate and how perfect your life is because of it. It's Microsoft software. Nowhere in the EULA do they claim it's going to work right. It may reduce your workload, it may keep some bad things from happening, but don't ever make the mistake of trusting it to always do so.

Re:Anti-virus Programmers Crack IP Encryption

[Jugalator]

By chance did this "crack" of encrypted IP addresses happen to involve tcpdump and setting to clock ahead? Just asking. ;-)

Actually, the virus don't care about local time to see when to self-update. It checks the time against NTP-servers and has done this since the SoBig.C incarnation.

Re:Cost Benefit Analysis

[legojenn]

I shared a PC with my roommate for a while. I booted in Linux (except for games) and she booted up in XP. I set the default mail & browser clients to Mozilla, she would change them to IE & OE.

She would get annoyed when she changed it back as she was more accustomed to OE for mail. She eventually got a virus and an email that she sent to an ex boyfriend got to her family, friends, neighbours, me, her son, maybe her current boyfriend......

When it was explained that she did it to herself and that with Mozilla, it probably would have not happened, (with Linux it would have definitely not have happened), she became a happy Mozilla user.

Sometimes, it just takes getting burned to get people to stop playing with OL & OE.

Wrong!

[RMH101]

As an example, I work with FDA approved and validated systems. You would not believe, and I can't be bothered, detailing the amount of documentation, version control and testing we use to guarantee 100% that the environment is *exactly* to spec.

A new patch out from MS? Can we just stick it on? Nope. We need to test in depth, we need to formally do a performance qualification, and we need to document all this to the nth degree: this is medical data, and you can't take chances that a patch might affect it.

Result? You don't rush out and patch stuff.

Re:Cost Benefit Analysis

[mpe]

End users in most environments should not have the privileges that would allow them to infect themselves. Windows machines can be secured while still allowing users to get work done. Doing so requires a competent administrator.

It depends what they are required to run. There is plenty of Windows software around where giving the user privs is the easiest way to get it to work. Possibly even the only thing the vendor recommends.

what about this secondary attact on 8/22

[Allah]

http://tinyurl.com/ku3u

August 22, 2003 07:38 AM US Eastern Timezone

A Potentially Massive Internet Attack Starts Today; Sobig.F Downloads and Executes a Mysterious Program on Friday at 19:00 UTC

SAN JOSE, Calif.--(BUSINESS WIRE)--Aug. 22, 2003--F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today.
Windows e-mail worm Sobig.F, which is currently the most widespread worm in the world, has created massive e-mail outages globally since it was found on Tuesday the 18th of August -- four days ago. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. Total amount of infected e-mails seen in the Internet since this attack started is close to 100 million.

However, the Sobig.F worm has a surprise attack in its sleeve. All the infected computers are entering a second phase today, on Friday the 22nd of August, 2003. These computers are using atom clocks to synchronize the activation to start exactly at the same time around the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).

On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea.

"These 20 machines seem to be typical home PCs, connected to the Internet with always-on DSL connections," says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "Most likely the party behind Sobig.F has broken into these computers and they are now being misused to be part of this attack."

The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines download a program from this address -- and run it. At this moment it is completely unknown what this mystery program will do.

F-Secure has been able to break into this system and crack the encryption, but currently the web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyse it and come up with countermeasures," says Hypponen. "So apparently their plan is to change the web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."

Right now, nobody knows what this program does. It could do damage, like deleting files or unleash network attacks. Earlier versions of Sobig have executed similar but simpler routines. With Sobig.E, the worm downloaded a program which removed the virus itself (to hide its tracks), and then started to steal users network and web passwords. After this the worm installed a hidden email proxy, which has been used by various spammers to send their bulk commercial emails through these machines without the owners of the computers knowing anything about it. Sobig.F might do something similar -- but we won't know until 19:00 UTC today.

"As soon as we were able to crack the encryption used by the worm to hide the list of the 20 machines, we've been trying to close them down," explains Mikko Hypponen. F-Secure has been working with officials, authorities and various CERT organizations to disconnect these machines from the Internet. "Unfortunately, the writers of this virus have been waiting for this move too." These 20 machines are chosen from the networks of different operators, making it quite likely that there won't be enough time to take them all down by 19:00 UTC. Even if just one stays up, it will be enough for the worm.

The advanced techniques used by the worm make it quite obvious it's not written by a typical teenage virus writer. The fact that previous Sobig variants we're used by spammers on a large scale adds an element of financial gain. Who's behind all this? "Looks like organized crime to me," comments Mikko Hypponen.

F-Secure is monitoring the