Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Origin Of Sobig (And Its Next Phase)

Posted by timothy on from the 5-percent-is-plenty dept.

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

5 of 500 comments (clear)

  1. Re:Instructions to cure worm. by JohnGrahamCumming · · Score: 5, Informative

    Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.

    Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.

    This was not written by a script kiddie.

    John.

  2. To Clarify... by NetJunkie · · Score: 5, Informative

    It's been a busy week. I see a lot of people confusing the different worms/viruses running around.

    SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.

    Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.

    Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.

  3. Worm vs. Virus by jaaron · · Score: 5, Informative

    A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.

    There's a good answer on Broadband Report Forum, or you could try Google.

    --
    Who said Freedom was Fair?
  4. Saw the b'stard launched by advocate_one · · Score: 5, Informative
    some t0sser called Misiko posted a "DSC-00465.jpeg" file into some binary newsgroups on Monday 18th... it was really a *.jpeg.pif, and would have automatically infected any user browsing those groups using outlook express and image preview set on.

    Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)

    The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.

    Perhaps that was it???

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  5. Virus author's other post by indole · · Score: 4, Informative

    Although google doesnt archive those groups, they did archive this message posted by the virus author in alt.alt.test 9 minutes before the virus was posted elsewhere.

    (You can compare to the message included here from easynews)

    --
    (2,3-Benzopyrrole)