Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 08-23-2003, 12:13 AM   #1 (permalink)
Sexy eh?
 
Location: Sweden
Sobig.f -worm attack stoped!

Sobig virus information from http://www.f-secure.com

Quoted from: http://www.f-secure.com/v-descs/sobig_f.shtml

Quote:
F-Secure Virus Descriptions

Radar Alert LEVEL 1
NAME: Sobig.F
ALIAS: W32/Sobig.F@mm

THIS VIRUS IS RANKED AS LEVEL 1 ALERT
UNDER F-SECURE RADAR.
For more information, see:
http://www.F-Secure.com/products/radar/


A new variant of Sobig, known as Sobig.F was first found on August 19th, 2003 and it is spreading in the wild.

Sobig.F activates on Friday the 22nd of August at 19:00 UTC. For information on this, please see:
http://www.f-secure.com/news/items/n...03082200.shtml

Update on 16:00 UTC

F-Secure can confirm that 18 of the 20 master servers are currently down or unreachable.

Update on 17:00 UTC

F-Secure can confirm that 17 of the 20 master servers are currently down. Apparently one of the machines was not disconnected by an ISP and has been booted up by its owner.

We're working together with CERTs, FBI and Microsoft to stop the last three.

Update on 18 UTC

F-Secure can confirm that ALL the master server machines are currently down or unreachable. One of them seems to still respond to PING but not to 8998 UDP.

We have one hour to go to see if this really is the case.

Update on 18:20 UTC

Unfortunately one server is up right now after all. And one might be enough for the attack to start succesfully.

Update on 19:00 UTC

When deadline for the attack was passed, one machine was still (somewhat) up. However, immediately after the deadline, this machine (located in the USA) was totally swamped under network traffic.

We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses.

So the attack failed.

We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented.

Update on 19:50 UTC

Still not a single connection from any of our sensors to any of the servers.

Update on 21:30 UTC

Situation is still the same. Things look good.

Update on 22:00 UTC

The official attack time on Friday has ended. All 20 machines were inaccessible throughout the attack.

Now we are investigating random UDP traffic that has been seen in the net, possibly relating to the worm.


Disinfection Instructions


Disinfection Tool

F-Secure provides the special tool to disinfect the Sobig.F worm. The tool and disinfection instructions are available at:

http://www.f-secure.com/tools/f-sobig.zip
http://www.f-secure.com/tools/f-sobig.txt
http://www.f-secure.com/tools/f-sobig.exe
http://www.f-secure.com/tools/f-sobig.jar


You can also download them from our FTP server:

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.jar



Detailed Description

Sobig sends massive amounts of mail. The sender information of these mails is wrong and doesn't indicate the real infected user.



The attachment has a size of around 70KB and it's packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.

The worm will also attempt to fetch a URL from where to download components when certain conditions are met. The condition, in this case, is that the time which is obtained from one the NTP servers (which addresses it has hard-coded inside its code) is Friday or Sunday (regardless of the week) between 19:00 and 22:00 UTC time. The worm will perform this test every hour.

When the condition meets, it will attempt to retrieve an URL from a predefined list of 20 master hosts. The content of the URL will be downloaded and executed on the infected machines.

The list of NTP servers, used to coordinate the download of the URL is: (This is not the list of master servers)

Code:
 200.68.60.246
 62.119.40.98
 150.254.183.15
 132.181.12.13
 193.79.237.14
 131.188.3.222
 131.188.3.220
 193.5.216.14
 193.67.79.202
 133.100.11.8
 193.204.114.232
 138.96.64.10
 chronos.cru.fr
 212.242.86.186
 128.233.3.101
 142.3.100.2
 200.19.119.69
 137.92.140.80
 129.132.2.21

Deactivation routine

The worm will stop spreading on 10th of September 2003. From this date onwards the worm will exit immediately when executed.

Infection

It will install itself into:


%windir%\winppr32.exe

Proceeding then to add the following keys to the Windows Registry:


[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayX" = %windir%\winppr32.exe /sinc

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayX" = %windir%\winppr32.exe /sinc

So it's started when Windows does.


Mail spreading

The worm usually arrives in e-mails with the following characteristics:

From:


The 'From:' field is filled with an address found from the infected system.
If no address is found, it will use "admin@internet.com"

To:


The 'To:' field is filled with an address found from the infected system.

Subject, any from the list:


Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie

Body, it chooses one from the two following lines:

See the attached file for details
Please see the attached file for details.


Attachment names can be any from:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

Sometimes the attachment is missing.

Also, the mail header always contains this string: "X-MailScanner: Found to be clean". Do note that there's an anti-virus product which inserts this header to emails.

Sobig history

The following table shows all the Sobig variants, with their expiration dates and when they were first found in the wild. The "Detection" field refers to when we first had databases which detected the corresponding variant.


Variant _____ Found ______ Expires __________ Detection
_____________________________________________________________
Sobig.A ___ January 9th ___ NO ______________ 2003-01-09_04
Sobig.B ___ May 18th _____ May 31st _________ 2003-05-19_03
Sobig.C ___ May 31st _____ June 8th _________ 2003-06-01_01
Sobig.D ___ June 18th __ __ July 2nd ________ _ 2003-06-18_03
Sobig.E ___ June 25th __ __ July 14th _________ 2003-06-26_02
Sobig.F ___ August 19th ___ September 10th ___ 2003-08-19_02
_____________________________________________________________



Detection

F-Secure Anti-Virus detects the worm with:

[FSAV_Database_Version]
Version=2003-08-19_02


[Description: Ero Carrera, Veli-Jussi Kesti; 19th of August, 2003]
__________________
Life is shit,
Death is even worse,
So what's the point of killing yourself?
/Ignatius Camryn Paladine
Regziever is offline  
Old 08-23-2003, 01:14 AM   #2 (permalink)
God-Hating Liberal
 
Location: Silicon Valley, CA
Now we'll never know what the stage 2 payload was. Kind of disappointing.
__________________
Nizzle
Nizzle is offline  
Old 08-23-2003, 02:22 AM   #3 (permalink)
Follower of Ner'Zhul
 
RelaX's Avatar
 
Location: Netherlands
I feel so sorry for people still opening emails with attachments without fully trusting them... especially screensavers... it must be tough to use a computer with 1 IQ point.
__________________
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents.
- Nathaniel Borenstein
RelaX is offline  
Old 08-23-2003, 06:54 AM   #4 (permalink)
Addict
 
Location: Dodging the ice pick
Quote:
Originally posted by Nizzle
Now we'll never know what the stage 2 payload was. Kind of disappointing.
From the NYTimes:
Quote:
Fearing PC Havoc, Gumshoes Hunt Down a Virus
By KATIE HAFNER and KIRK SEMPLE



t is common wisdom in the computer security world that the criminals are separated from their pursuers by only a few lines of cleverly written software.

Yesterday was a case in point.

As a computer virus named SoBig.F swamped e-mail inboxes, wreaking havoc on individual PC's and corporate computer systems, computer security experts around the world spent a tense day trying to stop a more potentially serious electronic time bomb from going off: SoBig carries an attachment that, if opened, instructs the infected computer to communicate with one of 20 host PC's that, most likely unknown to their owners, were planted with a mystery program.

But the experts did not know what would then happen to the infected machines, or what instructions they would be given. And so the race was on to find the 20 computers and isolate them from the rest of the Internet before they could potentially send out more malicious instructions to millions of computers. The time of the first attack was to be 3 p.m. Eastern time.

By late afternoon, computer experts, in collaboration with Internet service providers and law enforcement agencies around the world, declared a partial victory: they were able to decrypt the virus's software, find the 20 computers and take at least 17 offline. The Federal Bureau of Investigation also served a subpoena to an Internet service provider in Phoenix that the authorities say could be the source of the virus.

And though the experts feared the host computers might give out catastrophic instructions, like telling the infected machines to erase their hard drives or begin new attacks, Symantec Security Response, a team within the Symantec Corporation, the Internet security company, said the remaining three host machines had simply redirected computers to a pornographic Web site. It is not known whether the other 17 would have performed similarly.

"The people who are in charge have sidestepped another attack or the potential for bad things to happen," said Jimmy Kuo, a research fellow at Network Associates, another Internet security company.

SoBig is one in a series of computer viruses to threaten personal and corporate computers recently. Earlier this month, a program called Blaster and another called Nachi or Welchia were infecting hundreds of thousands of computers, although they appeared not to do severe damage. SoBig began showing up on Monday in e-mail inboxes with subject lines like "Thank you!" or "Re: Details" and "Re: Wicked screensaver." But the computer could be infected only if the recipient opened the attachment to the message.

Although commonly referred to as a computer virus, SoBig is considered a worm, because it operates independently. Unlike a virus, a worm does not attach itself to an existing computer file.

SoBig was written to run on Windows machines, and computers running the Macintosh and Linux operating systems were not affected.

Although SoBig had been around since last January, it has been modified continually. This, its sixth incarnation, included the electronic time bomb.

Yet from the moment this version first cropped up, a team of security sleuths with F-Secure, a computer security company in Helsinki, Finland, that sells antivirus software, had already begun taking it apart.

Before long, a group of eight engineers had homed in on a string of cleverly written code that the designers of SoBig had encrypted, and the engineers decided that was the nut they needed to crack.

By 3 p.m. on Thursday, after working around the clock, the engineers in Helsinki had decrypted the computer code. What they found was a list of 20 Internet Protocol, or I.P., addresses, linked to home computers in the United States, Canada and South Korea.

Further, they discovered a new twist. At 3 p.m. yesterday, tens of thousands of computers already infected with SoBig were supposed to connect to those 20 computers, using them as mere go-betweens, to retrieve a list of Web addresses. Once they were obtained, the machines infected with SoBig were supposed to download a program from those addresses.

What was supposed to happen after that no one knew, because "we stopped it," said Tony Magallanez, a systems engineer at F-Secure in San Jose.

To mitigate the threat, F-Secure engineers notified both the F.B.I. and the Internet service providers connected to the 20 computers. The addresses were then removed from the network by the Internet companies. In addition, the large telecommunications companies that provide the backbone for the Internet could have interceded and blocked all communication to those specific Internet addresses, Mr. Kuo said.

By 3 p.m., F-Secure had confirmed that 18 of the 20 target computers had been isolated and taken offline. (According to several security companies, the precise number fluctuated through the afternoon as they rechecked the computers.) Of the remaining computers, one had already been taken offline.

The host computers are most likely home PC's whose owners had no idea that their systems had been commandeered, experts said.

"I highly doubt the author of the virus owns these machines," said Johannes Ullrich, chief technology officer of SANS Internet Storm Center, a company in Bethesda, Md., that monitors Internet traffic.

Vincent Weafer, senior director of Symantec Security Response, said that when computer security technicians pretended to have an infected machine and sent messages to the host computers, they found that one of the host computers that was still on line was redirecting them to a pornography Web site. That allayed fears that the program could install a more virulent program on the infected computers, or send out more malicious worms.

Computer security experts said today that SoBig could be the largest virus yet in terms of the amount of e-mail it has generated. Other viruses have spread more quickly or have done more damage to systems and hardware, they said.

"The volume of this one is high," said Sharon Ruckman, senior director of Symantec Security Response in a telephone interview.

Although few companies reported wholesale computer shutdowns, the SoBig virus proved an enormous nuisance. Like gum on a shoe, it stuck around. By the end of the week, the virus had sent out tens of millions of unsolicited messages.

The F.B.I. is investigating the case under federal laws that prohibit computer intrusions, but no specific violations have been named.

"We don't know right now what violations have occurred until we've gathered all the facts," said Paul Bresson, an F.B.I. spokesman. "There might be something additional, like wire fraud."

Mr. Bresson said the F.B.I. was working closely with other agencies, including Homeland Security and private computer security firms.

Jeff Minor, chief executive of Easynews, an Internet service provider in Phoenix, said the F.B.I. served a subpoena to the company late yesterday morning.

Mr. Minor said he thought that a stolen credit card number was used to open an account on Easynews, and the SoBig worm was sent from that account. Mr. Minor said the account was opened seven minutes before the rogue program was sent out. He said it was embedded in an image and sent to an Internet news group devoted to pornography.

"Anyone trying to download that particular image in that news group would have been infected," Mr. Minor said.

Mr. Minor said the worm was posted to the network from a computer in Vancouver, British Columbia. "To the best of my knowledge it was at somebody's home," Mr. Minor said.

Although a broad cyberdisaster appeared to have been averted yesterday, computer security experts said computer users were not yet out of the woods. Infected computers will still be trying to connect to the master computers, they said, and will deluge the Internet with viral spam.

"We're still going to have millions of messages that the virus generates," Mr. Kuo said, adding that America Online has been blocking some 11 million SoBig e-mail messages a day.

To guard against infection, recipients should continue to delete e-mail messages containing suspicious attachments. The virus program is blocked by updated versions of most antivirus utility programs. "The No. 1 thing is, don't click on these attachments," Mr. Ullrich said.

Several Internet security sites are offering free software tools and step-by-step instructions on identifying and cleaning an infected computer.

SoBig, Mr. Ullrich said, is "just another pain in the neck for system administrators to deal with."
(Bold is mine)
__________________
COYW
darkure is offline  
Old 08-23-2003, 07:45 AM   #5 (permalink)
Über-Rookie
 
Location: No longer, D.C
that was an interesting few days of work though... we just went around to the machines patching them and scanning for any virii that may still be on the machines..

we actually ended up cleaning a lot of somewhat dormant virii that were already patched on most machines, but a few machines were missed for some reason.
__________________
"All that we can do is just survive.
.All that we can do to help ourselves is stay alive." - Rush
oblar is offline  
Old 08-23-2003, 07:48 AM   #6 (permalink)
The GrandDaddy of them all!
 
The_Dude's Avatar
 
Location: Austin, TX
i've been checking symatec for an updated virus def and i havent been able to get any.

liveupdate says that i have all the updates.

i'm not infected
__________________
"Luck is what happens when preparation meets opportunity." - Darrel K Royal
The_Dude is offline  
Old 08-23-2003, 08:47 AM   #7 (permalink)
Sexy eh?
 
Location: Sweden
What i fear now is the next version of the virus, will it be even more potent and utilize a malicious second payload instead of the usual spam routines.
__________________
Life is shit,
Death is even worse,
So what's the point of killing yourself?
/Ignatius Camryn Paladine
Regziever is offline  
Old 08-23-2003, 02:03 PM   #8 (permalink)
Pro Libertate
 
Location: City Gecko
Me, safe as houses!

Worry about the next Lovesan/MsBlaster with a decent payload.

If (Capital I) those people decide to bring down Information driven commerce, they will.

SoBig.F (or whatever) only effected unprotected emaill, small change!
__________________
[color=bright blue]W[/color]e Stick To Glass

"If three of us travel together, I shall find two teachers."
Confucious

Mad_Gecko is offline  
 

Tags
attack, sobigf, stoped, worm


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 07:46 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360