|
Addict
Location: Dodging the ice pick
|
Quote:
Originally posted by Nizzle
Now we'll never know what the stage 2 payload was. Kind of disappointing.
|
From the NYTimes:
Quote:
Fearing PC Havoc, Gumshoes Hunt Down a Virus
By KATIE HAFNER and KIRK SEMPLE
t is common wisdom in the computer security world that the criminals are separated from their pursuers by only a few lines of cleverly written software.
Yesterday was a case in point.
As a computer virus named SoBig.F swamped e-mail inboxes, wreaking havoc on individual PC's and corporate computer systems, computer security experts around the world spent a tense day trying to stop a more potentially serious electronic time bomb from going off: SoBig carries an attachment that, if opened, instructs the infected computer to communicate with one of 20 host PC's that, most likely unknown to their owners, were planted with a mystery program.
But the experts did not know what would then happen to the infected machines, or what instructions they would be given. And so the race was on to find the 20 computers and isolate them from the rest of the Internet before they could potentially send out more malicious instructions to millions of computers. The time of the first attack was to be 3 p.m. Eastern time.
By late afternoon, computer experts, in collaboration with Internet service providers and law enforcement agencies around the world, declared a partial victory: they were able to decrypt the virus's software, find the 20 computers and take at least 17 offline. The Federal Bureau of Investigation also served a subpoena to an Internet service provider in Phoenix that the authorities say could be the source of the virus.
And though the experts feared the host computers might give out catastrophic instructions, like telling the infected machines to erase their hard drives or begin new attacks, Symantec Security Response, a team within the Symantec Corporation, the Internet security company, said the remaining three host machines had simply redirected computers to a pornographic Web site. It is not known whether the other 17 would have performed similarly.
"The people who are in charge have sidestepped another attack or the potential for bad things to happen," said Jimmy Kuo, a research fellow at Network Associates, another Internet security company.
SoBig is one in a series of computer viruses to threaten personal and corporate computers recently. Earlier this month, a program called Blaster and another called Nachi or Welchia were infecting hundreds of thousands of computers, although they appeared not to do severe damage. SoBig began showing up on Monday in e-mail inboxes with subject lines like "Thank you!" or "Re: Details" and "Re: Wicked screensaver." But the computer could be infected only if the recipient opened the attachment to the message.
Although commonly referred to as a computer virus, SoBig is considered a worm, because it operates independently. Unlike a virus, a worm does not attach itself to an existing computer file.
SoBig was written to run on Windows machines, and computers running the Macintosh and Linux operating systems were not affected.
Although SoBig had been around since last January, it has been modified continually. This, its sixth incarnation, included the electronic time bomb.
Yet from the moment this version first cropped up, a team of security sleuths with F-Secure, a computer security company in Helsinki, Finland, that sells antivirus software, had already begun taking it apart.
Before long, a group of eight engineers had homed in on a string of cleverly written code that the designers of SoBig had encrypted, and the engineers decided that was the nut they needed to crack.
By 3 p.m. on Thursday, after working around the clock, the engineers in Helsinki had decrypted the computer code. What they found was a list of 20 Internet Protocol, or I.P., addresses, linked to home computers in the United States, Canada and South Korea.
Further, they discovered a new twist. At 3 p.m. yesterday, tens of thousands of computers already infected with SoBig were supposed to connect to those 20 computers, using them as mere go-betweens, to retrieve a list of Web addresses. Once they were obtained, the machines infected with SoBig were supposed to download a program from those addresses.
What was supposed to happen after that no one knew, because "we stopped it," said Tony Magallanez, a systems engineer at F-Secure in San Jose.
To mitigate the threat, F-Secure engineers notified both the F.B.I. and the Internet service providers connected to the 20 computers. The addresses were then removed from the network by the Internet companies. In addition, the large telecommunications companies that provide the backbone for the Internet could have interceded and blocked all communication to those specific Internet addresses, Mr. Kuo said.
By 3 p.m., F-Secure had confirmed that 18 of the 20 target computers had been isolated and taken offline. (According to several security companies, the precise number fluctuated through the afternoon as they rechecked the computers.) Of the remaining computers, one had already been taken offline.
The host computers are most likely home PC's whose owners had no idea that their systems had been commandeered, experts said.
"I highly doubt the author of the virus owns these machines," said Johannes Ullrich, chief technology officer of SANS Internet Storm Center, a company in Bethesda, Md., that monitors Internet traffic.
Vincent Weafer, senior director of Symantec Security Response, said that when computer security technicians pretended to have an infected machine and sent messages to the host computers, they found that one of the host computers that was still on line was redirecting them to a pornography Web site. That allayed fears that the program could install a more virulent program on the infected computers, or send out more malicious worms.
Computer security experts said today that SoBig could be the largest virus yet in terms of the amount of e-mail it has generated. Other viruses have spread more quickly or have done more damage to systems and hardware, they said.
"The volume of this one is high," said Sharon Ruckman, senior director of Symantec Security Response in a telephone interview.
Although few companies reported wholesale computer shutdowns, the SoBig virus proved an enormous nuisance. Like gum on a shoe, it stuck around. By the end of the week, the virus had sent out tens of millions of unsolicited messages.
The F.B.I. is investigating the case under federal laws that prohibit computer intrusions, but no specific violations have been named.
"We don't know right now what violations have occurred until we've gathered all the facts," said Paul Bresson, an F.B.I. spokesman. "There might be something additional, like wire fraud."
Mr. Bresson said the F.B.I. was working closely with other agencies, including Homeland Security and private computer security firms.
Jeff Minor, chief executive of Easynews, an Internet service provider in Phoenix, said the F.B.I. served a subpoena to the company late yesterday morning.
Mr. Minor said he thought that a stolen credit card number was used to open an account on Easynews, and the SoBig worm was sent from that account. Mr. Minor said the account was opened seven minutes before the rogue program was sent out. He said it was embedded in an image and sent to an Internet news group devoted to pornography.
"Anyone trying to download that particular image in that news group would have been infected," Mr. Minor said.
Mr. Minor said the worm was posted to the network from a computer in Vancouver, British Columbia. "To the best of my knowledge it was at somebody's home," Mr. Minor said.
Although a broad cyberdisaster appeared to have been averted yesterday, computer security experts said computer users were not yet out of the woods. Infected computers will still be trying to connect to the master computers, they said, and will deluge the Internet with viral spam.
"We're still going to have millions of messages that the virus generates," Mr. Kuo said, adding that America Online has been blocking some 11 million SoBig e-mail messages a day.
To guard against infection, recipients should continue to delete e-mail messages containing suspicious attachments. The virus program is blocked by updated versions of most antivirus utility programs. "The No. 1 thing is, don't click on these attachments," Mr. Ullrich said.
Several Internet security sites are offering free software tools and step-by-step instructions on identifying and cleaning an infected computer.
SoBig, Mr. Ullrich said, is "just another pain in the neck for system administrators to deal with."
|
(Bold is mine) |
08-23-2003, 12:13 AM
