lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: Sobig has a surprise...

All the experts were totally faked out. While everyone was concentrating
on getting the "magic 20" machines shut down, no one realized that
different copies of Sobig.f had different lists of servers to contact.

We put a block of udp port 8998 on our firewall this morning. We had 3
previously undetected infected machines on our network, each of which
tried to contact a different list of 20 machines. One of the lists
corresponds to the one that Sophos and others have published. The other
two lists have no addresses in common with the published list, or with
each other.

I wonder how many different sets of servers there were, how many
different variants of Sobig.f there were, and how many infected machines
now have some additional trojan, worm, or ddos code waiting for a
command to do something.

Jerry

-----Original Message-----
From: Jamie L Thompson [mailto:jlt@...theon.com] 
Sent: Friday, August 22, 2003 3:17 PM
To: Florian Weimer
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Sobig has a surprise...



Sophos has the list of ips posted. 




Florian Weimer <fw@...eb.enyo.de> 
Sent by: full-disclosure-admin@...ts.netsys.com 
08/22/2003 03:19 PM         
        To:        Steve Postma <spostma@...vizon.com> 
        cc:        "'full-disclosure@...ts.netsys.com'"
<full-disclosure@...ts.netsys.com> 
        Subject:        Re: [Full-Disclosure] Sobig has a surprise...


Steve Postma <spostma@...vizon.com> cites:

> However, the Sobig.F worm has a surprise attack in its sleeve." 

>From the web site:

| "As soon as we were able to crack the encryption used by the worm to
| hide the list of the 20 machines, we've been trying to close them
| down", explains Mikko Hypponen.

18 of 20 addresses where known to the AV community since Tuesday.  I
don't know what F-Secure is doing here.

Why don't they publish the list of IP addresses so that people can put
filters on their networks?

*sigh*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ