lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Anybody know what Sobig.F has downloaded?

"Compton, Rich" <RCompton@...rtercom.com> wrote:

> As many of you know, the latest Sobig.F virus was scheduled to begin
> downloading unknown code from various IPs at 3:00 EST today on UDP port
> 8998.  ...

Not quite.

The target machines supply a URL (that is encoded with Sobig's string 
encoding routine) which Sobig then retrieves and executes.  Thus the 
"real code" comes from an unknown number of unknown machines.

> ...  Does anybody have any idea what this code is?  ...

It seems likely that it will be another remote access Trojan and/or a 
network proxy application.  Either or both are what previous variants 
of Sobig have downloaded through their "update" mechanisms.

Although the URL suggests it is Sobig.E-specific, the following 
analysis of the evolution of the Sobig family up to the Sobig.E variant 
is well worth reading:

   http://www.lurhq.com/sobig-e.html

It is also very relevant to Sobig.F as very little of the actual 
functionality of Sobig.E has been changed in the making of Sobig.F -- 
the only really notable change is the addition of the multi-threaded 
self-mailing (more on this below).

> ...  Are the infected boxes
> actually downloading code?  ...

They would, but not from the initial "contact list" machines.  As 
described above, Sobig.F-infected machines download the "real code" 
from locations pointed to by the "contact list" machines.

If you mean "are they now" the answer is no -- it seems all the 
"contact list" machines were disconnected from the Internet about an 
hour before "come and get it" time.  One hopes this was done cluefully 
after certain important forensic evidence had been appropriately 
gathered, or at least was known to then be present on the machines and 
the machines were suitably secured for forensic analysis.

> ...  Does anybody have an infected Windoze box with
> Sobig that can see what code was downloaded?

As I said, I believe that all the machines were disabled before the 
appointed time so I doubt anyone (apart from Sobig's writer) knows what 
was in store for its victims.

> Here's a link to some info at Sophos in case you are unfamiliar with this.  
> 
> http://www.sophos.com/virusinfo/articles/sobigextra.html

Yes, the media-whoring of certain parties begat several such pages...

> Looking at the infection rates of this virus, I'd say that it's pretty
> important that we find out what this code is and what it does ASAP!

Actually, I think it is disputable that Sobig.F has a high infection 
rate.  It certainly has generated a tsunami of viral Email messages 
that, coupled with all the back-wash that goes with such events (tons 
of bogus "you're infected" warnings from stupid Email gateway scanning 
systems to innocent, uninfected users, etc) has certainly caused a huge 
surge in Email traffic disrupting many Email-based services, other 
computer product suppliers and their helpdesk staff in particular.

However, all that does not necessarily correlate with a huge infection 
rate or level.  Because of its multi-threaded nature, Sobig.F's self-
mailing routine is much more capable of saturating the bandwidth 
available to its victim machines.  Combined with the ever-increasing 
adoption of broadband connections among Sobig's target demographic 
(SOHO users with very limited or no effective IT skills), this one 
change to Sobig's mailing routines may be quite capable of producing a 
much denser Email flood from a (possibly considerably) smaller 
contamination base.

Another interesting factoid that may also support the notion that 
Sobig.F has not infected (or at least, has not remained long enough 
after infecting to be of concern on) many machines is this:

   http://isc.sans.org/port_details.html?port=8998

There has been no huge spike in port 8998 traffic.  This may, of 
course, be due to reporting lag and I'll certainly be looking closely 
at this over the next few hours...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ