W32.Sobig.E@mm Worm Spreading Rapidly

mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."

Re:email will soon be rendered useless ?

[pe1chl]

My filter declines .zip files that contain executable files, but it passes .zip files that contain only documents.

Are you trying to say that not all filters would be capable of doing that?

Re:What Operating System?

[moonbender]

Troll. Slashdot had two articles (semi-dupes) on 55808 (aka Stumbler): What's Behind The Odd Data? and 55808 Trojan Analysis

Using Internet Traffic Data to Predict Worms?

[GillBates0]

Companies like ISS use "probes" at many locations around the world to detect unusual patterns on key Internet backbones. A persisting unusual pattern is a supposed to be a pretty reliable indicator of malicious activity.

I have been trying to do my own retrospective predection :) based on the data available at Internet Traffic Report

As far as I can make out, all the US routers are doing fine (green). The response time seems to have gone up a tad at 2am MST, but other than that I don't see anything unusual.

When I look at Asia, 5 out of the 21 routers are down (red) and the packet loss is up 2%. Does that mean, that the worm has hit Asia hard? I know this worm should clog up mainly mail servers, but I wonder how feasible it is to predict worm arrival/origin/etc based on this easily available information, assuming ofcourse that it's available realtime.

Re:Why Never Apple?

Considering a good Windows-based email virus can infect TENS OF MILLIONS of systems within a few weeks, you answered your own question, didn't you? Why go for the population of Israel when you can literally cripple half of France? That virus from the Canadian student was estimated to have caused BILLIONS of dollars of damage.

Also, by joining the *NIX family, OSX became part of a community that is more aware about patching systems against viri -- i.e., viri are less sucessful in the *NIX world because they have more knowledgable users working against them.

You're lucky that other Windows features aren't as easy as spreading an email virus is -- were that so Windows would be MUCH easier to use than OSX.

Postfix MTA Check For Sobig.E

The following PCRE expression in a Postfix MTA header_checks (or, if you're using them, mime_header_checks) file will reject this one:

/^Content-(Disposition|Type):\s+.*?(file)?name="?. *?(your_details|application|document|screensaver|m ovie)\.zip/ REJECT

Requires Postfix be built with PCRE support and is for Postfix 2.x versions. For Postfix 1.x versions you'll have to put that in body_checks.

Disclaimer: Use at your own risk. I *believe* this'll work, but, strangely enough, I haven't received any to be rejected yet!

Re:It doesn't matter what OS you run...

[janda]

To quote the parent:

The thing that scares me is that because of Microsoft's ongoing disregard to basic security concepts all of the internet is in danger, to say so. Spam, worms, viruses - all those things take their toll. Resources are wasted: bandwidth, sysadmins time and so on.

Actually, Gartner (love them or hate them) issued a report that companies should switch to anything other than Windows/IIS sometime last year after one of the IIS worms. MS may ignore a lot of things (like common sense), but it doesn't ignore lost revenue.

The thing that scares me is that these could easily be written by MS, for MS, so that when grandma calls them up because her ISP has blocked her machine, they can say, "that's a known (ahem)issue(ahem), you need to upgrade to Windows 2003SP1(Don't forget that EULA!), which is on sale this month for only $xxx. Oh, that means you'll also have to buy a new computer, or you can switch to MSN WebMail (or whatever the thing is called), and the first two months are free.

Re:Why Never Apple?

Depends how paranoid you are. I run OSX, but I still patch/update it as often as my *BSD boxes, and I still run AV software. I'm sure that it's only a matter of time before OSX gets *something*.... /me fires up DevTools... ;) PF

Re:yeah, I'm running Windows

[dago]

So you don't mind using corel draw (proprietary) on windows, but you don't want to to the same under linux ? (corel draw 9 was made for linux)

More Traffic data in on

[GillBates0]

Sorry, I should've really posted this in my parent post. The Internet Traffic Report site has a section devoted to events like the release of the SQL Slammer worm and the DDOS attack of 24th January

During all these events, a large Response time and Increased Packet loss is observed, as expected.

Observe that the Average Response time hit a peak simultaneously across all continents between 11:30am and 2:30am MST as noted earlier, which coincides with reports of the W32.Sobig.E@mm worm. It has since deteriorated, possibly indicating, either that the Worm has some throttling mechanism, which some worms use to prevent congestion from affecting their own propogation rate.

Either that, or we haven't seen the peak yet.

Re:A (very) nice virus again

[httptech]

There is a payload, but it is not immediately obvious. Like every sobig variant, its job is to download a second stage trojan. Check out the whole story of what sobig.a (and likely all the rest) are supposed to do after infecting you: http://www.lurhq.com/sobig.html

have already seen a lot of it

[AssFace]

I am the programmer and IT person at a financial firm for awhile until I spin off into my own company here doing similar things for other companies on a consulting basis.

We only have 16 or so users that are in the office and maybe another 4 or 5 that use our resources, but are pretty much never here.

Even with those, I have seen a fairly large increase in the number of our clients with the virus and then our virus scanning software reporting it getting sent to us.
Fortunately so far we seem to be clean of it, but I have added some filter EventSinks on our Exchange server to block out a wider range of attachment types.

This particular one is annoying since it has 4 types of attachments that we can't universally block and get away with (.txt, .htm, .html, and .eml).

I have fingers crossed that our anti-virus software on the Exchange server will keep up with it.

Re:have already seen a lot of it

[NullProg]

Just a hint. If you can trap output at the firewall, this virus opens many domain query connections when it tries to email itself (contains its own SMTP engine). This is how we tracked down the machine it had infected last night. Norton has a stand alone program to clean up the machine.

Enjoy,

Re:Somebody angry at France?

[Penguin2212]

It's actually Bastille day, which commemorates when French revolutionaries stormed the Bastille, an old fortress which was convereted to a prison. This is recognized in France as the day that kicked off the French Revolution, overthrew of the monarchy and the installed "The Committe For Public Safety" as it came to be known.

Re:Somebody angry at France?

[MowserX]

Mine, too!

Virus Alert Notification

[rottz]

I've posted all the relevent information about this virus since 4pm on Tuesday, which beat out most of the major news outlets, except cnet. I've keep the info upto date with the list of virus vendors and latest virus news in the online media, and manual removal and automatic removal tools.

I would like to thank messagelabs, as they are always the first to notify about major virus outbreaks. Sophos is a close second and is good about notifying about everyday viruses. Mcafee's alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO

If you would like to sign up to messagelabs's great early warning notification service go here.
If you want Sophos excellent everyday notification about all virus's go here.
If you would like to get McAfee's avertlabs notifications, go here.
or you can just checkout my virus posts on the security-forum.com, but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one. ;)