Slashdot Mirror
SoBig: Worst is Yet to Come
bl8n8r writes "Experts say when vacationers get back to work
Monday, Inboxes will unleash the worms worst attacks.
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems.
"
If the majority of the cost comes from cleaning the system, I would recommend (in my professional opinion) simply letting the systems remain infected.
lysergically yours
IAALS.
2 worms (DCOM and Welchia) and a virus variant in less than two weeks.
This should tell investors that they are wasting their money.
This should tell companies that they are wasting their money.
Someone, somewhere, will hopefully get a clue.
Our computers aren't getting infected: between virus scan, ZoneAlarm, ancient e-mail client and knowing not to open the stupid attachments, we've not gotten infected.
.procmailrc file, put :0 B /dev/null
But >1000 100K e-mails per day to a single address were swamping our ability to do anything but download and delete.
It took two days of querying tech support at my ISP before they'd admit that procmail would work, and a quickie recipe dumps all the infected files. Yay. I should have just done it without checking tech support, for all they helped.
This was listed in a previous thread, but it's worth repeating:
In a
* ^ *Content-Disposition: attachment;
* filename=".*\.(pif|exe|scr)"
This deletes any message with a pif, exe or scr attachment.
I'll get more sophisticated later once I learn more about procmail, but for now, this does the job, without having to worry about SHELL and PATH settings.
Design for Use, not Construction!
So far this week, I've received only seven actual copies of W32/Sobig. However, the number of messages from mailer-daemons and mail server virus scanners has exceeded this by a factor of ten. Some of these rejection messages actually include a copy of the infected .PIF file.
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field. I didn't send it, my Mac is not infected. You're just annoying me. Please go away.
At best, this is collateral damage. At worst, these rejection messages are actually advertising the IP addresses of infected systems. Should a virus drop a back door payload, this would multiply the damage.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Don't complain.
With SoMany.IT.Workers unemployed, SoBig.And.ItsVariants have a strangely positive side effect...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Normally we don't block emails with specific attachments at our post office because it takes too long to scan them. Our company of 100 people averages 14,000 legit email per day in and out, but with this outbreak as bad as it is (and not peaked yet!) the blocking is being instated tonight.
While musing with a programmer here who just moved her daughter into college, we brought up an interesting thought: Hundreds of thousands of college kids are moving back into dorms with huge fat pipes and Outlook style email clients on computers that haven't been patched since April or May. Yikes!
-Shadow
I can't say that I don't give a fuck. I've just run out of fuck to give.
Did your mom help you think of that comment?
Prozac makes the voices in my head say nice things to me.
Design for Use, not Construction!
did a statistically significant portion of the workforce on vacation this week?
that seems like a pretty weak overall premise for an expected resurgence.
now if he said that he expects a steady stream of continued activity into early next month, due to all the people who take vacations throughout august - he might have a point.
but to suggest that these 'vacationers' will unleash the same spam deluge monday that the rest of the unwashed have given us this past week, is a bit shaky.
// "Can't clowns and pirates just -try- to get along?"
You would think that after Klez, the people who write these virus scanners and those who administer mail servers would realize that viruses sometimes spoof the "From:" field.
The situation is even worse than that: Most (all?) of the virus scanners sending me autoreplies correctly identified the virus as being Sobig -- which always uses spoofed source addresses.
Sending autoreplies is sometimes useful, but these scanners should at very least have a table which tells them, for each virus, whether an autoreply should be sent (ie, a table which specifies if a virus uses spoofed source addresses).
Tarsnap: Online backups for the truly paranoid
String the last two 'default' headlines together and whaddaya get?
"New Longhorn Screenshots Leaked. Sobig. Worst Is Yet To Come."
Yep. That just about says it all!
Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems rather than the destruction of files or the opening of files to outsiders on the Internet, which can be problems with many computer viruses. Pescatore said that the cost of both technical support personnel and lost productivity by the computers' users can range from $500 to $1,000 per infected machine.
...
And who is Marc Sunner? he's the CTO of MessageLabs. And what does MessageLabs do, you ask? see for yourself, from the main page at messagelabs.com:
Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security
$500 to $1000 to clean up each infected machine? Right, whatever Marc. And it's obvious you don't have *any* interest in propagating that baloney too. (on second thought, if you hire me to clean your machines, I'll do 5% discount off that price).
Another fine impartial article reposted by Slashdot. (By the way, the word you're looking for is "advertising")
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
This isn't funny, I work on campus tech support. It's move in week, and the 30 of us on staff are working 60+ hours this week. 8,000 or so computers are coming back, of those, we expect about 5,600 to be unpatched, and we expect that of those 5,600, that only 1,400 or so will be able to follow our documentation. That leaves us with 4,200 machines to patch, and clean before Monday (and here I sit on Slashdot)
--fetch daddy's blue fright wig, i must be handsome when i release my rage
What I find discouraging is that the lemmings are falling for it despite this being The Week of Teh Worm.
All the hopeful articles that have sited users claiming a new awareness of the risk of worms and virii seem to be pipe dreams.
Dumb users are dumb users and the more infectuous and persistant the virus, the more networks are going to get hammered. Why oh why aren't all pif, scr, exe, com, and vbs attachments just blocked by the MDA. There is no good reason for allowing an end user the huge complexity of choosing whether or not to click on the latest attachment that's come to them from "the internet".
If the lemmings are getting suckered this week... when every news medium is blathering on about viruses worming their way through nuclear reactors and motor vehicle registration offices, what hope is there for when the attention has settled?
The idea is courtesy from the macosx forum
We haven't seen the virus. But then again, we're admins who know what we're doing...
That's right, we run $CO UnixWare. And since there are only 2 or 3 other copies of $CO UnixWare being used in the world, we don't have to worry about worms and viruses.
Karma: The shiznight, mostly because I am the Drizzle.
Aren't you lucky. Here's what our email server cought since Monday:
237 W32/Yaha-E
235 W32/Klez-H
009 W32/Sircam-A
004 W32/Bugbear-B
003 Dial/PecDial-B
002 W32/Yaha-K
002 Troj/Peido-B
001 W32/Sobig-F
001 W32/Klez-E
001 W32/Bugbear-Dam
Only one Sobig so far... But Klez and Yaha numbers have been high for months. Too many of our users have front-facing email addresses (posted on our corporate website).
Looks like in addition to all the garbage we've been getting as a result of this virus propagating (the virus itself, attachment-free e-mailings by the virus, mis-directed automated notifications that "Your mail server sent us a virus", bounces to people whose addresses were spoofed by the virus, probably etc.), we can expect the infected computers to start being used as relays for the sending of "normal" spam -- with the corresponding spike in spam volume that would bring.
According to this article:
And Symantec:
My ping times to www.mit.edu (my personal benchmark, as its on the next POP over and always up) are normally 25ms from home, they grew slowly from about 30 ms Monday morning to as high as 2600 ms yesterday with 2/3 packet drop. But today and especially in the last few hours it's fallen back to about 29 ms with 1/3 packet drop.
;)
There are still occasional storms, I guess as a new host gets infected nearby. But things are good compared to the last two days when I couldn't even listen to internet radio and plain old web browsing and e-mail were slow...
BTW I haven't seen any of the e-mails myself do to our spam filter but I have gotten some returned e-mail the virus sent and a non-tech friend who got this one and another friend (who's very non-tech) got last weeks virus. I usually don't personally know the people who get these things, it has been a good week for discussing an OS upgrade to Linux with non-techies
Also keep in mind that refilling the washer fluid in your car will not prevent you from getting a flat tire.
Just this morning I changed a flat tire on a car that had a full tank of washer fluid and discovered this.
No, child, it's a worm. That's why they named it after your penis.
Sorry to reply to my own post. The quarantine partition (I save out dropped messages for a while, just in case of a false positive or something) on the mailserver just hit 90%, and it's 100GB. It was somewhere around 5-10% this morning. Not a good day.
It depends on how clueless your email admins are.
.scr/Pif/.exe and deleting any email with such an attachment, they are letting the group virus scanner on our exchange servers deal with the entire load.
.scr and .exe attachments, so why they don't delete this crap before it hits the servers I don't know.
Rather than blocking
So the virus scanner is scanning and moving to the infected folder literally thousands of these an hour. After it moves the infected message, it generates a nice email letting you know an email that was sent to you is currently in quarantine. Therefore this is generating even more work for the mail servers. Turning off this feature for a couple of days is apparently too much trouble.
The servers exchange is running on are therefore hanging every few minutes with all the disk and processor activity. Everyone gets a message every few minutes about "please wait, connecting to server" until you get fed up and close outlook down for the day.
This is the first virus I've ever seen to disrupt my work like this. But this is 100% the fault of our email admins who can't be bothered to write a couple of simple mail rules.
At the basic internet security zone Outlook can't even open
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
If you're a company and it's going to cost you the money to clean worms, get a mail scanner. We haven't been infected with a single email worm for as long as I've been here at the company. (2 years) and we have 1400 users. I think a kink in the budget for scanmail once was a kickass investment in that we have been immune to every single worm (we actually patched everyone in time for the d-com worm as well, so we didn't get that one) If you're going to use windows, get a mail scanner, and deploy your patches via Group Policy before you hear about the exploits. And no, we don't have windows automatic updates enabled either, that's definately not the answer to anyone's problems, at least not in the corporate world. It may be good for people at home, unless they have dialup, then they're f'd, and shouldn't be trusting their computers to microsoft software. May I suggest a preventative approach: NTBUGTRAQ.com has a nice mailing list that seems to keep at least a few days ahead of the exploits. Russ Cooper has saved us more than once.
Speak for yourself.
I had a user that called me because he actually got a copy of SoBig in his inbox. Usually our mail scanners are really good at filtering out even the newest viruses. What I didn't realize is that our AutoUpdate had failed that day, so it didn't have the SoBig update. So I asked him, "Well how the heck did you get SoBig?" and he answered, "From eating so many sandwiches."
Linux during a virus epidemic, it's like being out of the country during the blackout.
This week alone our entire department has been thrown around, manually patching EVERY box on the network. That's around 50,000 computers. Today alone I ran across probably 10 Windows NT boxes that were still running THE FIRST SERVICE PACK!
My point is, I do NOT feel sorry in the least when companies like 3M lose millions of dollars because they don't hire a competent IT department. Hell, out of the 20 guys I work with, only myself and two others graduated from a 4 year college. Whatever. For the last four days when full-timers have been bitching at me while I upgrade their PC because their order-tracking software won't work, I just smile and tell them "you get what you pay for. Tell your bosses to hire a competent IT department and you'll never have this problem again." Then I walk away and sigh because I know it'll never happen. Guess paying a contracting firm $40/hr so they can turn around and pay me $13/hr while they get to save themselves from paying benefits is worth the millions of dollars in downtime.
"Hell hath no fury like a woman scorned for SEGA. ..."
According to a swedish newspaper (I'm sure others run the story as well by now), anti-virus programmers have now finally cracked the 20 IP addresses SoBig will get its updates from this weekend. It's now a race against time to shut those IP addresses down. The IP addresses are located in USA and Canada.
The reason it took this long to get the IP addresses were because they were heavily encrypted in the code and they couldn't to the usual "dump memory" trick when the virus was active since the IP addresses were only stored in memory just when they were needed, then the memory was freed.
The anti-virus guys at F-Secure don't know what will happen if they don't shut down the 20 addresses in time, only that something might happen if they don't take down all addresses.
Unusually clever actually, since I usually find viruses to be rather poorly coded and much like a hack job, like the Blaster virus that shouldn't have crashed the Windows computers much more efficiently go unnoticed. Anti-virus developers have also noticed this about SoBig and it is not very exhibitionistic either, like viruses usually are. These signs suggest that it's a more professional work than usual.
Beware: In C++, your friends can see your privates!
Why the hell would I use wine to open e-mail under linux? Linux is not spreading this shit the MS UI is. Get your facts strait. The fault is entirely MS they are counting on this kaos so that they can step forward with the ultra secure win 2003 server and then the Longhorny security solutions. Your are spreading fluff and fud! Yes everyone is going to rush and secure their computers with Longhorny. But as Ben Franklin said "Those who sacrifice freedom for security will gain neither."
OH THE SHAME I fell off the wagon and use sigs again!
"Sunner said that most of the problems caused by SoBig involve the time and cost of cleaning the worm from computer systems."
My experience with this virus may be abnormal, but I have to completely disagree with that statement. As a dispatch tech for a large state university, I've been up to my eyes in emails related to the virus, but have only found However, the amount of email traffic on campus has been mind-boggling -- it even took down our mail servers a few times. And less than 10% of the emails were from the virus. Most of them were f*cking auto-notification emails from other servers that someone had sent the damn virus, which thanks to the spoofing feature, was almost never true. Why don't server admins turn off such notifications when dealing with a mass-mailer/spoofer virus? All these assorted servers managed to do was clog up our mail server with these meaningless "you have sent us a virus" emails that do nothing but contribute to any damage the does!!
IMHO, the REAL cost of dealing with this virus was bearing the burden of 100,000 stupid auto-generated emails that other servers were sending us, in response to emails that didn't even come from us.