SoBig: Worst is Yet to Come 683
bl8n8r writes "Experts say when vacationers get back to work
Monday, Inboxes will unleash the worms worst attacks.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems.
"
Finally. (Score:2, Funny)
Re:Finally. (Score:4, Funny)
Re:Finally. (Score:5, Funny)
No, child, it's a worm. That's why they named it after your penis.
Cost Benefit Analysis (Score:5, Funny)
Re:Cost Benefit Analysis (Score:5, Funny)
Re:Cost Benefit Analysis (Score:3, Funny)
why bother with computer viruses when the only thing you need is a big mouth and lawyers?
Re:Cost Benefit Analysis (Score:3, Funny)
You need a big mouth to fit around it, 'cuz it's SoBig.F!
Re:Cost Benefit Analysis (Score:4, Funny)
Re:Cost Benefit Analysis (Score:4, Funny)
Re:Cost Benefit Analysis (Score:3, Funny)
Re:Cost Benefit Analysis (Score:5, Interesting)
I have known many people that actually know they have a virus on their computer and don't make it the first priority in using their systems... if it is usable by them, they don't care.
Of course, this sort of person doesn't have the slightest understanding (or care) that their system is causing a variety of problems on other systems.
They only seem to care if it is causing THEM some problem.
I've long since given up trying to explain what is going on to these folks or the urgency of solving their own virus problem in a timely manner. I make sure that their system is as up-to-date as possible and make sure their virus protection software automatically updates as frequently as possible.
And, recently, these are the folks that I have broken my long standing rule on, and configured "Windows to update automatically" and not wait for the user to OK it.
Re:Cost Benefit Analysis (Score:5, Interesting)
Try this one:
"Some these viruses have been known to attmempt to destroy the computers of various military installations. The penalty in many countries for this is death. The penalty in YOUR country is a federal jail term. You may want to consider purchasing a $60 upgrade to your computer to help you avoid this problem in the future."
Re:Cost Benefit Analysis (Score:5, Funny)
"Some these viruses have been known to attmempt to destroy the computers of various military installations. The penalty in many countries for this is death. The penalty in YOUR country is a federal jail term. You may want to consider purchasing a $60 upgrade to your computer to help you avoid this problem in the future."
Thank God!
They've FINALLY started jailing people for being too stupid to own computers!
Re:Cost Benefit Analysis (Score:5, Funny)
You may want to consider purchasing a $60 upgrade to your computer to help you avoid this problem in the future.
read
You may want to consider installing Linux on your computer to help you avoid this problem in the future.
Re:no (Score:3, Interesting)
Incidentally, the first infection I ever had on a Mac was the old Macro Virus which appeared shortly after I first welcomed Microsoft (via Office) onto my machine. Ah Microsoft!
Re:Cost Benefit Analysis (Score:5, Funny)
This works suprisingly well. Even though it's a lie, they are spooked about it. If they pester me, I'll tell them the truth but add that viruses in the past have done this and probably will do it again.
Re:Cost Benefit Analysis (Score:5, Funny)
I'm sure it'll be more successful than
"Where do you want to go today?!?! Federal prison?!?! If not, upgrade now!"
Re:Cost Benefit Analysis (Score:4, Funny)
Could it be that they are planning to use the "virus downloaded the pr0n/mp3/..." defense should they ever be challenged about exactly what is on their computer?
Re:Cost Benefit Analysis (Score:3, Insightful)
So basically, MS gets control because users let it be so. Or am I way off on this?
Re:Cost Benefit Analysis (Score:3)
My company has an email policy that I wonder if it wouldn't go a long way in the ISP sector: they remove every executable attachment and replace it with a text file saying "no executable attachments." Period. Ends with a .EXE, .PIF, .COM, .DLL, .OCX, .VBS, whatever, they don't care, they delete it. MIME-type == executable? Delete it. They do at least virus-scan it before tossing it in the bit bucket, and let the text file reflect it with a polite variant
Re:Cost Benefit Analysis (Score:5, Funny)
That's my plan. Just pull the plug on the Wintel stuff, toss em in the trash and replace them with Macs running OS X.
Re:Cost Benefit Analysis (Score:5, Insightful)
I was being a little glib there, but it should be pointed out that the labor costs associated with managing all of this crap are pretty serious. Overtime charges, benefits and basic salary for an $74k employee for the last three days are running what? At least $1000k per employee. With eight IT dudes running around fixing all of the Wintel systems that's eight grand worth of new Macs that will have much better uptime and lower costs just from the last three days alone. Now, consider how many of these little virus and worm issues there have been in the past year.
Re:Cost Benefit Analysis (Score:5, Interesting)
No "IT dudes" worth anything will be "running around fixing" things. If they had done their job properly in the first place, they wouldn't have to fix anything at all.
Re:Cost Benefit Analysis (Score:5, Insightful)
does "doing their job properly" include preventing end-users from touching the keyboards? let's face it, the network that remains unused always stays in a stable, functioning state. put users on it and then things go wrong.
Re:Cost Benefit Analysis (Score:3, Informative)
I also had another guy whose NT 4.0 box was rendered completely
Re:Cost Benefit Analysis (Score:3, Informative)
It depends what they are required to run. There is plenty of Windows software around where giving the user privs is the easiest way to get it to work. Possibly even the only thing the vendor recommends.
Re:Cost Benefit Analysis (Score:5, Insightful)
I don't know what world you're living in, but it isn't the one I'm posting from. You can be a brilliant IT guy who does his job incredibly well, but if a corporation's policies (i.e. waiting until a patch has been regression tested with bespoke applications) have you running around fixing things, it's the CIO that's not "worth anything" and not the "IT dudes".
And, of course, in the case where you're paid $74k/year (as the parent post mentioned), You Do What You're Told, or you quickly lose said salary.
Wrong! (Score:3, Informative)
A new patch out from MS? Can we just stick it on? Nope. We need to test in depth, we need to formally do a performance qualification, and we need to document all this to the nth degree: this is medical data, and you can't take chances that a patch might affect
Mac Users = Naive (Score:3, Insightful)
Re:Cost Benefit Analysis (Score:5, Funny)
Yeah, and just think what both of those machines could do!
Re:Cost Benefit Analysis (Score:3, Informative)
Only "exempt" employees can work overtime without being paid for it, and there are minimum salary requirements for most professions to have "exempt" status.
For technical work it's along the lines of $27/hour.
Re:RPC Patch (Score:5, Funny)
Just this morning I changed a flat tire on a car that had a full tank of washer fluid and discovered this.
Re:RPC Patch (Score:3)
Re:RPC Patch (Score:3)
'Scuse me? And you're saying Macs are better?
Isn't this philosophy exactly why people buy Macs (Windows machines are too complex, so buy a Mac instead?).
N.
Re:RPC Patch (Score:5, Informative)
Worms worms and more worms (Score:5, Funny)
No Kidding.... (Score:2, Redundant)
-Cyc
Re:huh (Score:5, Informative)
237 W32/Yaha-E
235 W32/Klez-H
009 W32/Sircam-A
004 W32/Bugbear-B
003 Dial/PecDial-B
002 W32/Yaha-K
002 Troj/Peido-B
001 W32/Sobig-F
001 W32/Klez-E
001 W32/Bugbear-Dam
Only one Sobig so far... But Klez and Yaha numbers have been high for months. Too many of our users have front-facing email addresses (posted on our corporate website).
Is not a problem... (Score:2, Funny)
1: Write free software.
2: ?
3: Get inbox filled with worms and viruses.
4: Profit!
Skeptical (Score:3, Insightful)
Re:Skeptical (Score:5, Interesting)
Rather than blocking
So the virus scanner is scanning and moving to the infected folder literally thousands of these an hour. After it moves the infected message, it generates a nice email letting you know an email that was sent to you is currently in quarantine. Therefore this is generating even more work for the mail servers. Turning off this feature for a couple of days is apparently too much trouble.
The servers exchange is running on are therefore hanging every few minutes with all the disk and processor activity. Everyone gets a message every few minutes about "please wait, connecting to server" until you get fed up and close outlook down for the day.
This is the first virus I've ever seen to disrupt my work like this. But this is 100% the fault of our email admins who can't be bothered to write a couple of simple mail rules.
At the basic internet security zone Outlook can't even open
Microsoft has serious problems (Score:4, Insightful)
This should tell investors that they are wasting their money.
This should tell companies that they are wasting their money.
Someone, somewhere, will hopefully get a clue.
Re:Microsoft has serious problems (Score:5, Insightful)
school's in! (Score:3, Insightful)
Re:school's in! (Score:5, Funny)
Re:sad waste of time, effort and money. (Score:3, Insightful)
Because they are students computers. When you start going to college, you'll understand this.
With the kind of time and resources you have, you could have every one of those computers running Debian in a week. Yes, I imagine one peroson can sit over 3 or 4 hand installs an hour, just like I can. Practice makes perfect and you are sure to get better than that. Oh w
Re:school's in! (Score:3, Interesting)
I'm just dreading Saturday when the majority of them show up, it's only 200 students now and the technicians can't keep up.
Re:school's in! (Score:5, Interesting)
Procmail finally (Score:5, Informative)
But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.
It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.
This was listed in a previous thread, but it's worth repeating:
In a
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
This deletes any message with a pif, exe or scr attachment.
I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.
Sorry - shoulda previewed (Score:5, Informative)
Better filters (Score:3, Insightful)
The enhancements suggested above are simple to implement, but are still crude band aids. While I doubt I would ever *really* want to receive an executable attachment (heck -- most places won't even let me SEND it, let alone receive it), I might want to
(a) log it
(b) bounce a 'hey stoopid' message back a legit senders to tell them that if they need to send me something, it shouldn't be an
Re:Procmail finally (Score:3, Funny)
Brain-dead auto-responders... (Score:5, Insightful)
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.
At best, this is collateral damage. At worst, these rejection messages are actually advertising the IP addresses of infected systems. Should a virus drop a back door payload, this would multiply the damage.
k.
Re:Brain-dead auto-responders... (Score:3, Interesting)
Even worse... (Score:5, Insightful)
The situation is even worse than that: Most (all?) of the virus scanners sending me autoreplies correctly identified the virus as being Sobig -- which always uses spoofed source addresses.
Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).
Re:Even worse... (Score:3, Insightful)
They don't even need a table. If the domain in the From address doesn't match any of the Received headers, just silently bin the thing. This would also handle heuristic scans which pick up new viruses that aren't in the scanner's database yet.
But I don't think the virus c
Re:Brain-dead auto-responders... (Score:3, Insightful)
They don't care. The point of those messages is not some public service of informing people that their computers are infected, the point is to advertise the virus software.
Actually, I take that back. I did get one scanner-autoreply today that included full headers, which let me track down the real culprit. But most of them are blate
Re:Brain-dead auto-responders... (Score:3, Interesting)
Someone on LiveJournal speculated that these messages were actually advertising, for the anti-virus product, and should be treated as spam/unsolicited bulk email.
I certainly agree that where the virus is known to spoof email addresses, it only makes
Re:Brain-dead auto-responders... (Score:5, Interesting)
Alternatively, if you're going to do the virus check after the mail's been accepted, it sure would be nice if the virus-checker programs kept track of which viruses usually forge the sender and which don't, so it can skip the bouncegrams on the forged ones.
Dave Farber's been mentioned in the press - his mailing list is very large and gets quoted a lot, so his address is in lots of people's mailboxes and gets forged a lot.
SoNice.ToSee.YouBack (Score:5, Funny)
Don't complain.
With SoMany.IT.Workers unemployed, SoBig.And.ItsVariants have a strangely positive side effect...
Re:SoNice.ToSee.YouBack (Score:3, Interesting)
Ouch! (Score:5, Interesting)
Normally we don't block emails with specific attachments at our post office because it takes too long to scan them. Our company of 100 people averages 14,000 legit email per day in and out, but with this outbreak as bad as it is (and not peaked yet!) the blocking is being instated tonight.
While musing with a programmer here who just moved her daughter into college, we brought up an interesting thought: Hundreds of thousands of college kids are moving back into dorms with huge fat pipes and Outlook style email clients on computers that haven't been patched since April or May. Yikes!
-Shadow
Re:math (Score:3, Funny)
Re:Ouch! (Score:3, Informative)
If you are unlucky some of your employees like chain letters and 'funny' mails, or mails with nude females (could we call those just femails?).
And then you have helpdesks and stuff, or really tech savy people. 't is not that difficult getting 3 mails per minute.
Warper
Vacation? (Score:5, Insightful)
that seems like a pretty weak overall premise for an expected resurgence.
now if he said that he expects a steady stream of continued activity into early next month, due to all the people who take vacations throughout august - he might have a point.
but to suggest that these 'vacationers' will unleash the same spam deluge monday that the rest of the unwashed have given us this past week, is a bit shaky.
Re:Vacation? (Score:3, Insightful)
The rest of the victims got it in bits and pieces - but the vacationers will unleash it in hourly bursts, as they come into the office.
It'll only be a 10-20% boost, probably, but it'll be the biggest "all in one" boost.
Re:Vacation? (Score:3, Informative)
Slashdot Headline Concat Fun (Score:5, Funny)
"New Longhorn Screenshots Leaked. Sobig. Worst Is Yet To Come."
Yep. That just about says it all!
Another brick in the wall (Score:4, Insightful)
Accepting DRM/TPCA (otherwise unsigned code can run)
Outlawing P2P
Port filtering by ISPs
Accepting blind AutoUpdates
[US]Cheering on the Patriot Act[/US]
'outlawing' Spam
All in the name of 'security'. Insert obligatory Franklin quote: Those who would trade freedom for security will lose both, and deserve neither.
Re:Another brick in the wall (Score:3, Informative)
Read between the lines (Score:5, Insightful)
And who is Marc Sunner? he's the CTO of MessageLabs. And what does MessageLabs do, you ask? see for yourself, from the main page at messagelabs.com:
Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security
$500 to $1000 to clean up each infected machine? Right, whatever Marc. And it's obvious you don't have *any* interest in propagating that baloney too. (on second thought, if you hire me to clean your machines, I'll do 5% discount off that price).
Another fine impartial article reposted by Slashdot. (By the way, the word you're looking for is "advertising")
The Slashdot story missed the interesting part... (Score:4, Insightful)
So is that the solution to spam? Maybe someone should write a worm that always has the same payload so it can be easily filtered. We never have to see the fake spam messages, the real spammers won't be able to send harder-to-filter messages, and the server owners of those loose servers will have an incentive to clean up their act with the worm eating up all of their bandwidth.
Actually, extending this, maybe the way to fight open machines is to cause the open machines to send themselves excessive traffic, rendering them fairly useless until their operators fix them, but not negatively impacting the rest of the net.
$500 - $1000 (Score:3, Interesting)
How much does Windows cost?
I know it's not really Microsoft's fault, since they had a patch and it's not their fault that people try to get email and stuff... But my users are rather annoyed. We all run Macs and either Mac OS X or FreeBSD servers so we're not vulnerable to this virus, but it's getting annoying just deleting the things. I can't imagine having to worry about getting infected on top of having to run Windows
We got almost all of ours (150 to 5 addresses) from one local government office. I emailed them when we narrowed down what machine they were coming from and the flow has stopped. We didn't get a Thank You or anything, but maybe our little government office doesn't want to publicly admit to running insecure systems.
I wonder if this $500 - $1000 per computer will be in the budget next year.
how can people fall for it... again (Score:5, Insightful)
What I find discouraging is that the lemmings are falling for it despite this being The Week of Teh Worm.
All the hopeful articles that have sited users claiming a new awareness of the risk of worms and virii seem to be pipe dreams.
Dumb users are dumb users and the more infectuous and persistant the virus, the more networks are going to get hammered. Why oh why aren't all pif, scr, exe, com, and vbs attachments just blocked by the MDA. There is no good reason for allowing an end user the huge complexity of choosing whether or not to click on the latest attachment that's come to them from "the internet".
If the lemmings are getting suckered this week... when every news medium is blathering on about viruses worming their way through nuclear reactors and motor vehicle registration offices, what hope is there for when the attention has settled?
Save procmail recipe (Score:4, Interesting)
The idea is courtesy from the macosx forum [macosxhints.com]
Where I work... (Score:5, Funny)
That's right, we run $CO UnixWare. And since there are only 2 or 3 other copies of $CO UnixWare being used in the world, we don't have to worry about worms and viruses.
coming spike in old-fashioned spam (Score:5, Informative)
Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam [washingtonpost.com] -- with the corresponding spike in spam volume that would bring.
According to this article [washingtonpost.com]:
And Symantec [symantec.com]:
It's been abating in my corner of the internet (Score:5, Interesting)
There are still occasional storms, I guess as a new host gets infected nearby. But things are good compared to the last two days when I couldn't even listen to internet radio and plain old web browsing and e-mail were slow...
BTW I haven't seen any of the e-mails myself do to our spam filter but I have gotten some returned e-mail the virus sent and a non-tech friend who got this one and another friend (who's very non-tech) got last weeks virus. I usually don't personally know the people who get these things, it has been a good week for discussing an OS upgrade to Linux with non-techies
SoBig ... So Annoying (Score:4, Interesting)
More annoying than the worm are all the "You are infected" warnings coming from clueless virus software. They make it through the spam filters.
PIF (Score:4, Interesting)
Re:PIF (Score:3, Interesting)
In an effort to be "friendly," newer versions of MS Windows default to hiding those oh-so-confusing file extensions from helpless uses, so they'll typically see "foo" rather than "foo.pif". Even nastier are those infection files named things like "photo.jpg.pif". Windows dutifully hides the .pif extension, and the user sees "photo.jpg". Doesn't look so dangerous that way.
How did you get SoBig? (Score:5, Funny)
hardware nat/firewall? (Score:3, Insightful)
It could, of course, be turned off by corporate IT folk who don't want to have it, or by the intrepid home user who knows what they are doing, but for the unwashed masses, would just 'be there'.
Anyway, would this provide any actual protection? And could it pass the UI test for the standard user?
671 out of 693 from one IP... (Score:3, Interesting)
Not sure if he's a spammer that got infected, but the 'from' addresses are coming from a huge number of unique and seemingly 'real' addresses.
I finally just setup my mail server to drop connections from that IP.
A great new slogan (Score:5, Funny)
Some companies deserve it (Score:5, Interesting)
This week alone our entire department has been thrown around, manually patching EVERY box on the network. That's around 50,000 computers. Today alone I ran across probably 10 Windows NT boxes that were still running THE FIRST SERVICE PACK!
My point is, I do NOT feel sorry in the least when companies like 3M lose millions of dollars because they don't hire a competent IT department. Hell, out of the 20 guys I work with, only myself and two others graduated from a 4 year college. Whatever. For the last four days when full-timers have been bitching at me while I upgrade their PC because their order-tracking software won't work, I just smile and tell them "you get what you pay for. Tell your bosses to hire a competent IT department and you'll never have this problem again." Then I walk away and sigh because I know it'll never happen. Guess paying a contracting firm $40/hr so they can turn around and pay me $13/hr while they get to save themselves from paying benefits is worth the millions of dollars in downtime.
Hold M$ Accountable!!! (Score:3, Insightful)
Face it, most of us are in a technical position of some sort, and are looked upon for assistance because of the knowledge we possess.
My question is this: Who pays for our time? Is YOUR company expected to "eat" the costs of paying you for your time to sanitize their network from this malicious traversing code? Should it be the company's fault for utilizing software so prone to public vulnerabilities? Should the creators of the vulnerable software be held liable and accountable for their obvious flaws? Of course, tracking down the creators of the viruses is left up to the law enforcement officials and the persons charged with solving crimes. But, the viruses would not have existed if the vulnerabilities did not exist and were not exploited accordingly.
I understand that the Glock company cannot be held accountable if some person used their weapon to terminate somebody's life. However, in the act of homicide, there is a definitive exchange of decisions. In the case of the virus, the infected party neither intended to receive the virus, nor wanted the problems associated.
Conspicuous absence (Score:3, Interesting)
The SoBig worm is the latest in an outbreak that began 10 days ago with the so-called "Blaster" or "LovSan" worm which, by some estimates, infected more than 500,000 computers running the latest version of Microsoft Windows, the world's dominant operating system.
That's the only place Windows is mentioned, with regards only to Blaster.
xox,
Dead Nancy
SoBig Clean up (Score:3, Informative)
Anti-virus Programmers Crack IP Encryption (Score:5, Informative)
The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.
The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.
Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.
Re:Anti-virus Programmers Crack IP Encryption (Score:4, Funny)
Re:Anti-virus Programmers Crack IP Encryption (Score:3, Informative)
Actually, the virus don't care about local time to see when to self-update. It checks the time against NTP-servers and has done this since the SoBig.C incarnation.
college computers booted from network for worm (Score:3, Interesting)
it seems like a pretty good way to go about preventing it from spreading, and even non-techies at my school will jump on the patch once they read the part about getting kicked off the net (read: AIM/Kazaa/email)
The law needs to assign responsibility (Score:4, Insightful)
Email notification: A cure worse than the disease (Score:5, Interesting)
My experience with this virus may be abnormal, but I have to completely disagree with that statement. As a dispatch tech for a large state university, I've been up to my eyes in emails related to the virus, but have only found However, the amount of email traffic on campus has been mind-boggling -- it even took down our mail servers a few times. And less than 10% of the emails were from the virus. Most of them were f*cking auto-notification emails from other servers that someone had sent the damn virus, which thanks to the spoofing feature, was almost never true. Why don't server admins turn off such notifications when dealing with a mass-mailer/spoofer virus? All these assorted servers managed to do was clog up our mail server with these meaningless "you have sent us a virus" emails that do nothing but contribute to any damage the does!!
IMHO, the REAL cost of dealing with this virus was bearing the burden of 100,000 stupid auto-generated emails that other servers were sending us, in response to emails that didn't even come from us.
Save your inbox with procmail (Score:4, Informative)
# Ignore W32/Sobig.f@MM
:0 B
* ^vZgwXohhqrN4MDHpZfjXC6Aye4uyh5TU7soFb85wpJILzujH
/dev/null
This matches the worm on a base64 encoded line from its body. This is on the current variant I got flooded with; redirect the suckers to
Re:lesson (Score:5, Funny)
Re:Worst I've seen by FAR (Score:5, Insightful)
Re:Spammers and viruses (Score:4, Informative)
You don't need to wonder -- just read the news [reuters.com]:
It's long overdue for law enforcement to prosecute spammers for cracking (evasion of antispam filters, relay-raping, disseminating viruses to create zombie spamboxes, etc). Many of the people that do get prosecuted for cracking do less damage and target fewer victims (by several orders of magnitude) than the typical spammer.Re:Sobig not really M$'s fault (Score:5, Interesting)