[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F5A7365.22747.CDD99A86@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Anybody know what Sobig.F has downloaded?
A few days ago "Ferris, Robin" <R.Ferris@...ier.ac.uk> wrote:
> Old News, what most of us are waiting for is the next sobig variant that
> will come out after sept 10. Some have said that it will be out on the 11th
> but I think that was just the AV vendors hyping things up (read Symantec,
> NAI etc ) the smaller ones are more accurate.
I'd not be surprised if we see it sooner, and I mean sooner than 10
September. There is no "need" for Sobig's writer to wait until then to
release the next variant, and at least one previous "next variant" was
released "early". Given that Sobig.F has been all but a complete
failure (in terms of what it seems intended to achieve -- grow the
relay and proxy network of the spammers posited to be behind it), it
would not be surprising if the next variant were released "ahead of
schedule".
> For info on the 2nd part go to sophos or something like that they have
> documented it quite well.
You are badly mistaken.
Very, very few public sources of information about the nature of
Sobig.F's "second stage" are available for the simple reason that it
did not really happen. A couple of astute observations have been made,
but not widely publicized (and are very unlikely to be because they are
not the kind of thing that neatly boils down into a media-palatable
sound bite). Aside from those technical observations, we have had a
bunch of companies engaged in self-congratulation and loudly patting
themselves on their own backs for what a good job they did in helping
to prevent the "second stage". Unfortunately, most of these have
essentially been media events where the actual nature of Sobig's
"second stage" has been largely, if not entirely, misrepresented -- a
significant amount of the "popular media" coverage (and quite some of
the FBI, etc sourced material) would lead you to believe that the
"second stage" that was so galantly prevented was a DoS against 20
hapless and apparently arbitrarily chosen cable and DSL users around
the world.
The media coverage of the whole Sobig.F fiasco, and the publicity chase
that it inspired -- both in the antivirus & security industry and in
law enforcement -- and/or that drove it, would be hilarious had it not
done massive damage to the competent forensics work that could have
been achieved if the jibbering half-wits that had to tattle their
imagined glory to the media had just STFU for a while, for once.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists