SoBig: Worst is Yet to Come 683
bl8n8r writes "Experts say when vacationers get back to work
Monday, Inboxes will unleash the worms worst attacks.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems.
"
Procmail finally (Score:5, Informative)
But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.
It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.
This was listed in a previous thread, but it's worth repeating:
In a
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
This deletes any message with a pif, exe or scr attachment.
I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.
Sorry - shoulda previewed (Score:5, Informative)
Re:Worst I've seen by FAR (Score:2, Informative)
Yeah, I've seen this too. And I *know* I'm not infected. I'm trying to figure out if the worm is making emails it sends look like bounced messages, or if it is spoofing my email address. Actually, I'd like to see some better research (or reporting) done on this. Initial reports [com.com] I read made it sound like it would only spoof 'well-known' domain names such as ibm.com or microsoft.com. I have seen it coming from friends of mine (who may or may not have been infected), as well as places like halliburton.com. I've seen the 'Wicked Screensaver' variation more than anything else.
Re:Ouch! (Score:2, Informative)
I'm a student consultant at my school [lehigh.edu] who helps other students with computer problems, and believe me, the network people in charge here are fully aware of this fact. For what we call "mass-install week", which means setting up all the new students, we're being told to enable the XP firewall, check for and remove Blaster, install patches from windowsupdate and explain to the student the importance of patching, and install the school's site-licensed copy of Norton.
Hopefully these sort of measures, here and at other schools, will mitigate the damage.
Re:huh (Score:5, Informative)
237 W32/Yaha-E
235 W32/Klez-H
009 W32/Sircam-A
004 W32/Bugbear-B
003 Dial/PecDial-B
002 W32/Yaha-K
002 Troj/Peido-B
001 W32/Sobig-F
001 W32/Klez-E
001 W32/Bugbear-Dam
Only one Sobig so far... But Klez and Yaha numbers have been high for months. Too many of our users have front-facing email addresses (posted on our corporate website).
coming spike in old-fashioned spam (Score:5, Informative)
Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam [washingtonpost.com] -- with the corresponding spike in spam volume that would bring.
According to this article [washingtonpost.com]:
And Symantec [symantec.com]:
SoBIG infection (Score:1, Informative)
Shame on Symantec for not releasing a critical definition that all clients would auto download the night of discovery.
Re:RPC Patch (Score:5, Informative)
Re:Spammers and viruses (Score:4, Informative)
You don't need to wonder -- just read the news [reuters.com]:
It's long overdue for law enforcement to prosecute spammers for cracking (evasion of antispam filters, relay-raping, disseminating viruses to create zombie spamboxes, etc). Many of the people that do get prosecuted for cracking do less damage and target fewer victims (by several orders of magnitude) than the typical spammer.amavis-new does just that! (Score:1, Informative)
Re:Sorry - shoulda previewed (Score:2, Informative)
(vbs|vsf|vbe|wsh|hta|scr|pif|com|exe|shs|bat|ba
and you should be set
Re:Cost Benefit Analysis (Score:3, Informative)
Only "exempt" employees can work overtime without being paid for it, and there are minimum salary requirements for most professions to have "exempt" status.
For technical work it's along the lines of $27/hour.
Re:Another brick in the wall (Score:3, Informative)
SoBig Clean up (Score:3, Informative)
Re:Ouch! (Score:3, Informative)
If you are unlucky some of your employees like chain letters and 'funny' mails, or mails with nude females (could we call those just femails?).
And then you have helpdesks and stuff, or really tech savy people. 't is not that difficult getting 3 mails per minute.
Warper
Anti-virus Programmers Crack IP Encryption (Score:5, Informative)
The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.
The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.
Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.
Re:Vacation? (Score:3, Informative)
Re:Cost Benefit Analysis (Score:2, Informative)
Re:$500 - $1000 (Score:1, Informative)
That's simply not true -- this trojan is a simple double-click-to-run and can vector in through anything that allow files to be copied.
In fact, the newer versions of MS mailers blocks these "dangerous" attachments are significantly less risky than other clients.
Re:Some companies deserve it (Score:1, Informative)
Save your inbox with procmail (Score:4, Informative)
# Ignore W32/Sobig.f@MM
:0 B
* ^vZgwXohhqrN4MDHpZfjXC6Aye4uyh5TU7soFb85wpJILzujH
/dev/null
This matches the worm on a base64 encoded line from its body. This is on the current variant I got flooded with; redirect the suckers to
Re:Cost Benefit Analysis (Score:3, Informative)
I also had another guy whose NT 4.0 box was rendered completely unbootable by the official patch. His only recourse was to upgrade the box to XP (the upgrade process managed to recover his old settings.)
So don't tell me the "wonders" of autoupdate and how perfect your life is because of it. It's Microsoft software. Nowhere in the EULA do they claim it's going to work right. It may reduce your workload, it may keep some bad things from happening, but don't ever make the mistake of trusting it to always do so.
Re:Anti-virus Programmers Crack IP Encryption (Score:3, Informative)
Actually, the virus don't care about local time to see when to self-update. It checks the time against NTP-servers and has done this since the SoBig.C incarnation.
Re:Cost Benefit Analysis (Score:2, Informative)
She would get annoyed when she changed it back as she was more accustomed to OE for mail. She eventually got a virus and an email that she sent to an ex boyfriend got to her family, friends, neighbours, me, her son, maybe her current boyfriend......
When it was explained that she did it to herself and that with Mozilla, it probably would have not happened, (with Linux it would have definitely not have happened), she became a happy Mozilla user.
Sometimes, it just takes getting burned to get people to stop playing with OL & OE.
Wrong! (Score:3, Informative)
A new patch out from MS? Can we just stick it on? Nope. We need to test in depth, we need to formally do a performance qualification, and we need to document all this to the nth degree: this is medical data, and you can't take chances that a patch might affect it.
Result? You don't rush out and patch stuff.
Re:Cost Benefit Analysis (Score:3, Informative)
It depends what they are required to run. There is plenty of Windows software around where giving the user privs is the easiest way to get it to work. Possibly even the only thing the vendor recommends.
what about this secondary attact on 8/22 (Score:2, Informative)
August 22, 2003 07:38 AM US Eastern Timezone
A Potentially Massive Internet Attack Starts Today; Sobig.F Downloads and Executes a Mysterious Program on Friday at 19:00 UTC
SAN JOSE, Calif.--(BUSINESS WIRE)--Aug. 22, 2003--F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today.
Windows e-mail worm Sobig.F, which is currently the most widespread worm in the world, has created massive e-mail outages globally since it was found on Tuesday the 18th of August -- four days ago. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. Total amount of infected e-mails seen in the Internet since this attack started is close to 100 million.
However, the Sobig.F worm has a surprise attack in its sleeve. All the infected computers are entering a second phase today, on Friday the 22nd of August, 2003. These computers are using atom clocks to synchronize the activation to start exactly at the same time around the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).
On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea.
"These 20 machines seem to be typical home PCs, connected to the Internet with always-on DSL connections," says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "Most likely the party behind Sobig.F has broken into these computers and they are now being misused to be part of this attack."
The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines download a program from this address -- and run it. At this moment it is completely unknown what this mystery program will do.
F-Secure has been able to break into this system and crack the encryption, but currently the web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyse it and come up with countermeasures," says Hypponen. "So apparently their plan is to change the web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."
Right now, nobody knows what this program does. It could do damage, like deleting files or unleash network attacks. Earlier versions of Sobig have executed similar but simpler routines. With Sobig.E, the worm downloaded a program which removed the virus itself (to hide its tracks), and then started to steal users network and web passwords. After this the worm installed a hidden email proxy, which has been used by various spammers to send their bulk commercial emails through these machines without the owners of the computers knowing anything about it. Sobig.F might do something similar -- but we won't know until 19:00 UTC today.
"As soon as we were able to crack the encryption used by the worm to hide the list of the 20 machines, we've been trying to close them down," explains Mikko Hypponen. F-Secure has been working with officials, authorities and various CERT organizations to disconnect these machines from the Internet. "Unfortunately, the writers of this virus have been waiting for this move too." These 20 machines are chosen from the networks of different operators, making it quite likely that there won't be enough time to take them all down by 19:00 UTC. Even if just one stays up, it will be enough for the worm.
The advanced techniques used by the worm make it quite obvious it's not written by a typical teenage virus writer. The fact that previous Sobig variants we're used by spammers on a large scale adds an element of financial gain. Who's behind all this? "Looks like organized crime to me," comments Mikko Hypponen.
F-Secure is monitoring the