[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41B1FD84D49E05448A4233378E6BF475163BEA@entmsgnt03.fm.frd.fmlh.edu>
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: Sobig has a surprise...
After reviewing the actual firewall logs I find my initial report was not entirely correct. There were two variants, not three, and the second variant contacted a list of 5 hosts, none of which were on the "big" list of 20 hosts.
The second list of five addresses (all seem to be on cable or dsl networks) is given below.
List published by Sophos and others
12.158.102.205
12.232.104.221
24.33.66.38
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
61.38.187.59
63.250.82.87
65.92.80.218
65.92.186.145
65.95.193.138
65.93.81.59
65.177.240.194
66.131.207.81
67.9.241.67
67.73.21.6
68.38.159.161
68.50.208.96
218.147.164.29
Addresses contacted by infected systems on our network
Infected machine 1
67.164.250.26/8998
129.244.36.194/8998
67.73.60.121/8998
218.146.139.246/8998
66.169.84.77/8998
Infected machine 2
67.164.250.26/8998
129.244.36.194/8998
67.73.60.121/8998
218.146.139.246/8998
66.169.84.77/8998
Infected machine 3
68.50.208.96/8998
12.232.104.221/8998
218.147.164.29/8998
24.33.66.38/8998
12.158.102.205/8998
24.197.143.132/8998
24.206.75.137/8998
24.202.91.43/8998
24.210.182.156/8998
61.38.187.59/8998
65.92.80.218/8998
63.250.82.87/8998
65.92.186.145/8998
I don't believe we can get a copy of the virus off the machines with the variant. The machines don't belong to us, even though they are on our network.
Jerry
-----Original Message-----
From: Andre Ludwig [mailto:ALudwig@...fingroup.com]
Sent: Friday, August 22, 2003 6:33 PM
To: Jerry Heidtke
Subject: RE: [Full-Disclosure] Sobig has a surprise...
Anyway you could possibly capture a copy of your variant and post it on the
web in a zip file. I would also be interested in seeing the list of ips
that you have.
Andre Ludwig, CISSP
-----Original Message-----
From: Jerry Heidtke [mailto:jheidtke@...h.edu]
Sent: Friday, August 22, 2003 3:11 PM
To: Jamie L Thompson; Florian Weimer
Cc: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Sobig has a surprise...
All the experts were totally faked out. While everyone was concentrating
on getting the "magic 20" machines shut down, no one realized that
different copies of Sobig.f had different lists of servers to contact.
We put a block of udp port 8998 on our firewall this morning. We had 3
previously undetected infected machines on our network, each of which
tried to contact a different list of 20 machines. One of the lists
corresponds to the one that Sophos and others have published. The other
two lists have no addresses in common with the published list, or with
each other.
I wonder how many different sets of servers there were, how many
different variants of Sobig.f there were, and how many infected machines
now have some additional trojan, worm, or ddos code waiting for a
command to do something.
Jerry
-----Original Message-----
From: Jamie L Thompson [mailto:jlt@...theon.com]
Sent: Friday, August 22, 2003 3:17 PM
To: Florian Weimer
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Sobig has a surprise...
Sophos has the list of ips posted.
Florian Weimer <fw@...eb.enyo.de>
Sent by: full-disclosure-admin@...ts.netsys.com
08/22/2003 03:19 PM
To: Steve Postma <spostma@...vizon.com>
cc: "'full-disclosure@...ts.netsys.com'"
<full-disclosure@...ts.netsys.com>
Subject: Re: [Full-Disclosure] Sobig has a surprise...
Steve Postma <spostma@...vizon.com> cites:
> However, the Sobig.F worm has a surprise attack in its sleeve."
>From the web site:
| "As soon as we were able to crack the encryption used by the worm to
| hide the list of the 20 machines, we've been trying to close them
| down", explains Mikko Hypponen.
18 of 20 addresses where known to the AV community since Tuesday. I
don't know what F-Secure is doing here.
Why don't they publish the list of IP addresses so that people can put
filters on their networks?
*sigh*
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
Powered by blists - more mailing lists