SoBig: Worst is Yet to Come

bl8n8r writes "Experts say when vacationers get back to work Monday, Inboxes will unleash the worms worst attacks. Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems. "

Procmail finally

[unfortunateson]

Our computers aren't getting infected: between virus scan, ZoneAlarm, ancient e-mail client and knowing not to open the stupid attachments, we've not gotten infected.

But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.

It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.

This was listed in a previous thread, but it's worth repeating:
In a .procmailrc file, put :0 B
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)" /dev/null

This deletes any message with a pif, exe or scr attachment.

I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.

Sorry - shoulda previewed

[unfortunateson]

The line wrapping on the recipe got mangled:

:0 B
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
/dev/null

Re:huh

[Jhon]

Aren't you lucky. Here's what our email server cought since Monday:

237 W32/Yaha-E
235 W32/Klez-H
009 W32/Sircam-A
004 W32/Bugbear-B
003 Dial/PecDial-B
002 W32/Yaha-K
002 Troj/Peido-B
001 W32/Sobig-F
001 W32/Klez-E
001 W32/Bugbear-Dam

Only one Sobig so far... But Klez and Yaha numbers have been high for months. Too many of our users have front-facing email addresses (posted on our corporate website).

coming spike in old-fashioned spam

[jdunlevy]

Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam -- with the corresponding spike in spam volume that would bring.

According to this article:

After examining two month's worth of junk e-mail earlier this year, New York City-based e-mail security company MessageLabs found that roughly 65 percent of spam originated from computers running proxy servers. More than 75 percent of those servers appeared to be installed on PCs that showed signs of being infected with Sobig and similar viruses.

And Symantec:

Sobig.F can download arbitrary files to an infected computer and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

Re:RPC Patch

[aldousd666]

If you're a company and it's going to cost you the money to clean worms, get a mail scanner. We haven't been infected with a single email worm for as long as I've been here at the company. (2 years) and we have 1400 users. I think a kink in the budget for scanmail once was a kickass investment in that we have been immune to every single worm (we actually patched everyone in time for the d-com worm as well, so we didn't get that one) If you're going to use windows, get a mail scanner, and deploy your patches via Group Policy before you hear about the exploits. And no, we don't have windows automatic updates enabled either, that's definately not the answer to anyone's problems, at least not in the corporate world. It may be good for people at home, unless they have dialup, then they're f'd, and shouldn't be trusting their computers to microsoft software. May I suggest a preventative approach: NTBUGTRAQ.com has a nice mailing list that seems to keep at least a few days ahead of the exploits. Russ Cooper has saved us more than once.

Re:Spammers and viruses

[Steve+B]

One has to wonder what impact spammers have on viral activity.

You don't need to wonder -- just read the news:

SAN FRANCISCO (Reuters) - Several Internet worms that have besieged computers for over a week played havoc again on Wednesday, including one called Sobig.F whose aim was to turn PCs into spam machines and was believed to be the fastest growing virus ever, experts said.
Sobig.F drops software onto infected Windows computers that open them to be used later for distributing Internet spam -- unwanted e-mails and product promotions, experts said. It also represents a new trend in converging e-mail spamming and virus software writing, they said.

It's long overdue for law enforcement to prosecute spammers for cracking (evasion of antispam filters, relay-raping, disseminating viruses to create zombie spamboxes, etc). Many of the people that do get prosecuted for cracking do less damage and target fewer victims (by several orders of magnitude) than the typical spammer.

SoBig Clean up

[pandrel]

I've already had to help a few people remove SoBig from thier systems and found that SARC has a removal tool that cleans up SoBig quickly and effortlessly by: 1. Terminating the W32.Sobig.F@mm viral processes. 2. Deleting the W32.Sobig.F@mm files. 3. Deleting the dropped files. 4. Deleting the registry values that the worm added. For those who need it it can be found at http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.removal.tool.html

Re:Ouch!

[owlstead]

One that uses mailinglists? I was subscribed to several interesting ones that I had to turn off due to the enourmous feed. Not that my system could not handle it, but I could not.

If you are unlucky some of your employees like chain letters and 'funny' mails, or mails with nude females (could we call those just femails?).

And then you have helpdesks and stuff, or really tech savy people. 't is not that difficult getting 3 mails per minute.

Warper

Anti-virus Programmers Crack IP Encryption

[Jugalator]

According to a swedish newspaper (I'm sure others run the story as well by now), anti-virus programmers have now finally cracked the 20 IP addresses SoBig will get its updates from this weekend. It's now a race against time to shut those IP addresses down. The IP addresses are located in USA and Canada.

The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.

The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.

Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.

Save your inbox with procmail

[bigberk]

This is where procmail comes to the rescue! Add this rule:

# Ignore W32/Sobig.f@MM
:0 B
* ^vZgwXohhqrN4MDHpZfjXC6Aye4uyh5TU7soFb85wpJILzujHN
/dev/null

This matches the worm on a base64 encoded line from its body. This is on the current variant I got flooded with; redirect the suckers to /dev/null. And if you get a NEW strain, just take an encoded body sample from it and make a new rule!