Slashdot Mirror
The Origin Of Sobig (And Its Next Phase)
MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.
An expiration date was actually coded into the worm? Seems pretty ironic.
most people dont update even when its forced. they click wait 1 minute every minute and never do. anyway by the time the virus spreads it is too late. I think it is totally fair to blame MS. They wrote bad code that allowed itself to be exploited.
The Television Wiki
This worm does not exploit any vulnerabilities in Windows. It just sends an evil attachment.
The only thing being exploited here is stupidity. Not even windows update can fix that.
How long till the straight marketeers catch on with worms to move hits over their sites?
Come on, if you're going to write a worm, do it right.
Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who infected you, and trade connections randomly).
Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.
Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).
In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.
Tarsnap: Online backups for the truly paranoid
If a spammer was going to use a virus like this to do spammy things that would benefit him, I think he would use it to turn Joe User's computer into an open relay that would get around the many, many blacklists out there.
Carousel is a lie!
OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments.
So if this gets worse and worse, and hypothetically more people start running linux or mac or whatever as their desktop OS (which I think could happen in dribs and drabs now -- a shitload of folks I know HATE microsoft right now), what's to stop them from ignoring system security all over again? You have the whole Lindows run-as-root thing still, for example. I know there aren't nearly as many worms and shit written to exploit non-MS OS's, but that doesn't mean folks won't start, and I'd just like to know what would/could happen, and what exploits would then be available, if they do.
I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.
Don't put salt in your eyes.
No, actually the mailservers at vt.edu scan for virii, they flagged it and deleted the attachment. I ran FixSobig-F.exe just to make sure, virus free.
Visualize the world of wine
Nice spam, but I would argue that those Boeing 747s did not in fact bring the nation to it's knees. It just pissed off some drunken rednecks and gave them an excuse to steal the rest of the worlds oil and call anyone against their plot of world domination an unpatriotic yankee.
Visualize the world of wine
Is why any virus writers ever get caught.
Unless they're messing with the virus and accidently release it (either completely accidentally or just prematurely, whatever) then they simply have to go down to their local library and/or cyber cafe wearing a wig and makeup, stick the floppy in, click, then leave, what's the problem?
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
I was hoping there'd be a few more good viruses laying about prepairing to nail other windows systems. Give CEO's a month or two of grief and they'll begin to see it the linux way.
We'll never know what the hackers true intent was, however. It's suspicious that blaster and the sobig virus were thrown out almost one right after the other. It all may be a distraction. For all we know there could be another virus lurking around infecting machines slowly, 1 by 1 until a doomsday date at which they deliver their payload.
Candy-Coated Knowledge
Well, if you're just interested in who to blame, then blame the virus/worm writers. They wrote the darn things. But there will always be plenty of virus writers.
But if you're interested in how to have this kind of thing NOT HAPPEN, which I think is the more important issue for us in the IT field, then the blame falls squarely on microsoft's shoulders.
Sure, all software has bugs. But Microsoft's software is a little different. It's in 95%+ of the world's computers. They know this, that's their business. Governments use it. Nuclear plants use it. The electric company uses it. Your personal information is stored in it. Your medical history is stored in it. Microsoft has their fingers so deep into businesses around the world.
Yet they don't do anything particularly special to prevent these worms. They put in the same (or less) effort that the open source folks to find bugs. They sit idly buy when they could easily afford *thousands* of independent code audits. They leave ports open when they could easily ship them closed. They ship a mail client that runs foreign executables. Not off completely, or in a sandbox, or whatever. It is inexcusable that attachments can run as code. This is a bug in the design of the operating system (ANY operating system).
Microsoft needs to get their head out of the bank vault for about two seconds and realize this is something they *must* do, even if it doesn't mean any new revenue. They have a responsibility to every business out there. Even if you are a FreeBSD + Mac shop you are effected by this.
It's downright embarassing that a simple bit of code like these worms/viruses can even get out the ethernet port.
Microsoft, how about innovating a real *solution* to this that *isn't* Palladium? I know it's possible. Have you ever seen qmail or other programs by DJB? Everything is partitioned with simple interfaces between code modules, even if there are bugs, they are ineffective. Do the same in Windows. People will put up with the extra effort eventually, because they are SICK of this shit.
What really amazes me, is how many people seem to think Microsoft is "doing everything they can". They can do more, a lot more, and they must!
Who cares? You got the point. It's not like we are writing the great american novel, it's slashdot. Do you check your post-it notes for grammar and spelling errors too?
I just love this type of explanation of why MS is at absolutely ZERO fault for it's security problems. Compare the number of Apache worms/viruses with the number found in IIS. Why are there more in a single year for IIS than for Apache over several years? Why haven't appache worms/viruses brought the Internet to a crawl and hit the newspaper headlines big time?
Oh yeah.. because MS has such a huge market share making more targets. BZZZ.. Apache holds almost 2 times the market share for active web servers! Could it be that MS's IIS isn't as secure? No.. noo... it's because of hackers. It's all their fault.. Poor MS!
If you are going to use an analogy, try making it fit the facts:
Builder A builds a LOT of houses. To cut costs and because they truley believe they know best... they use locks from RustyLocks.com. They also use an alarm system from AlarmsAreUs.com. The lock experts and alarm system experts say, "Hey, don't use those.. they have a high risk of being compromised!"
Builder A argues that they haven't been compromised yet and that they are good enough for the home-buying public. They continue building tons of houses with these parts in place. They sell the homes with a HUGE profit margin and bill them as secure, safe and full of extras your family will love.
Builder B lets the lock experts design a good lock they think is hard to break. They let the alarm system experts design a good alarm which is hard to bypass. They use these in their houses and find that they don't actually run up costs, but instead lower them. They also put the design of the systems up for public review in case they missed something themselves. They sell the homes for a reasonable price and offer the blueprints and all other design materials to the public in case someone wants to build their own.
Soon building A's homes start getting broken into. They find a fix for the lock's current problem and offer it for free.. they even offer to install the fix. What they don't do is replace the locks with a better designed one because it's too expensive to. Of course this doesn't fix the security system problems or other problems with the locks. In the mean time they blame the crooks and also everyone who is broken into for not fixing their locks.
Because the lock and alarm system guidlines from Builder B are availble to any lock or alarm system expert, they are repeatedly reviewed by those who want. There are enough people willing to review because they live in these homes and want to be safe. Maybe they find problems with the locks, maybe they don't. But if they do, the locks are improved and everyone is told.
Eventually a few of builder B's locks get picked. The lock experts start tearing apart the locks and figure out if fixing them is good enough or if a whole new lock is warranted. Regardless of the answer, they make the new locks available for free with simple instructions on how to replace them.
In the mean time several more break-ins occur in builder A homes.
Builder A's reactive actions result in repeated security incidents. The Builder B community team's proactive actions result in occasional but rare security incidents.
Blame the crooks! Sure, they hold some of the blame, but both builders KNEW the crooks were out there. They both knew the crooks wanted into the houses to get the goodies inside. So, does builder A share any responsibliity? Hmmm... According to your post.. NO.
Ok, I may be falling into a trolling trap, but take a look at the 4th amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures How is it unreasonable to search the computer/network of an individual who is suspected it of nearly bringing the windows community to its knees? If you didn't write any malware then you have nothing to hide - its not unreasonable to eliminate someone from a case by proving that they had no part in it is it?
Please note that some of us do not consider getting your VCR to reliably capture every episode of Star Trek to be "programming."
Yes, let's program in a higher level language so we can inherent all the crappy code libraries of the OS. Let's spend half our lives doing tech support for erroneous systems that we're dependent upon.
C/C++ can be more portable than any other language. If you're having trouble making it portable, don't blame the language.
If you haven't had a need to use C before, that's good for you. You're probably not developing applications that need this low level language so don't compare apples to oranges and go back to diddling your non-normalized corporate database.
This was not written by a script kiddie.
I'm inclined to agree. It seems like a lot of effort to go to, including the use of a stolen credit card. However, why simply download a pron-link in the second stage, and not something more harmful? Why only 20 computers, and not 1000? This seems more like a proof-of-concept--I think SoBig.G is going to be that much worse. Maybe it'll be released the day after this one expires--9/11.
--
$tar -xvf
The unknown part is that this virus was set to download and run more code from 20 specific compromised computers mentioned at 3pm yesterday. No one knew what would be in that code until it was actually downloaded. Presumably there was no known remote method to get that code until the deadline either.
So figuring out what the virus that spread initially did was easy. The only way to figure out what it was going to do next ahead of time was to gain access to one of those 20 computers, and there wasn't a lot of time for that. By blocking 19 of the 20 at their ISPs, at least the next phase was mostly stopped, and turned out to be harmless. But whoever wrote this virus will no doubt learn from this, which was likely the whole point of the exercise, and do something even sneakier, or just bigger (more than 20 hosts), next time. Then eventually when they're confident they can successfully launch an attack of this sort without being blocked, they will launch the REAL attack they've got planned, whatever that is.
Why does Microsoft security and Windows Update keep coming up in this? This is an e-mail worm. People keep running the damned attachment like morons. It's their fault. Hell, my ISP doesn't even let .scr or any other sorts of files get through without specific permission from the user. Outlook won't run executables unless I tell it to.
"Sufferin' succotash."
Sorry, but I must disagree here. Althought it probably wasnt a coding error within the product, it was a error in design. They work so hard to throw as many bells and whistles into the application that they overlook the idea that the bells and whistles are the media that malicious individuals will use to cause havoc. If Microsoft wasn't trying to make Outlook do so much needless crap (email scripting), then we wouldnt have these problems. Its along the same lines as giving a car a "feature" that turns out to be deadly in a collision.
I do hold Microsoft accountable because they tout their own products for being so "user-friendly" while they add no security into the products...if you're going to design an application that a child could use, for God's sakes, don't stop half-way, make sure the user is safe from the very ignorance your product feeds.
To use the car analogy again, its as if Microsoft has built super-easy to drive cars for all of our parents, grandparents, and kids, but the car explodes upon even the slightest collision.
Seriously, how can you not blame Microsoft? The "vulnerability" isnt in the code, its in the coders.
J
Beer, now there's a temporary solution -- Homer Jay S.
Truely it is tragic, and no, if the coders do their best what more can you ask? But Microsoft has continued to produce the most insecure and bug ridden software. If there is a flaw in apache, they are on it in a heartbeat... everything possible is done to prevent security holes.
The number minor and serious holes in microsoft software which are actively exploited makes it pretty clear. Microsoft basically seems to release software first, and then look for security holes second. Apparently what they are looking for in beta testing is usability bugs that would prevent them from releasing. They are in a hurry to get software to market and leave the looking for holes part for later.
Apache and other open source software on the other hand tends to run the other way (although anybody can make a project and develop however they please). Look for bugs that cause security problems and system instability first... minor graphic update glitches and such come second.
In a perfect world both would be ironed out before ever being seen by the public... in the real world I think it's obvious that the open source way is better.
I ignore the 'reply-to' field, and track the email via the Recieved lines from my box, or my ISP's Mailserver (whomever got the message first).
Free Software: Like love, it grows best when given away.
Microsoft security has always been implemented as an afterthought. They write code as quickly as possible, test it under normal use, and release it. Internet Explorer is a good example. Most of the exploits people find are just variations on past exploits, and Microsoft just patches each specific exploit rather than fixing the design flaw that responsible for the whole class of exploits.
As for all those buffer overflow exploits, most are the result of a conscious decision to use fixed, unchecked buffers in order to save work. You usually see the glaring potential for exploit as you write it but decide not to worry.
It's understandable that in many projects, it's worth it to allow such vulnerabilities to exist to reduce development time and project complexity, but Microsoft software runs on something like 95% of the desktops in the world, and they repeatedly enable rarely used internet accessible services by default in every version of Windows and generally ignore good safety practices.
On the bright side, they added stack buffer overflow protection to Visual C++ 7.0, so it's just a matter of them getting most of their code to compile under it, and remembering to enable that feature.
Security is not as impossible as Microsoft claims. They just never designed their software with it in mind, and occasionally it comes back and hits them in the face. Windows is like a one room house with 16 back doors and only the front door has a lock. If you look at say, OpenBSD, which is completely free and developed on a shoestring budget, it has an almost perfect security record.
What surprises me is that these worms or viruses are not more than nuisances. It would be so easy for the authors to add a lil' code to "format c:" after propagating itself. That would do more damage and cover its tracks.
cpeterso
A formatted computer is a dead computer (and an un-infected computer when it comes back to service, probably with current anti-virus software). An infected computer is a cracker proxy, a spam relay, a DDOS slave.
Also, for a lot of users, it's more damaging to leak information than to destroy the computer. Think of all the bank, credit card, and brokerage passwords that are available by logging the keystream. And, more relevantly, it's far more profitable to the virus writer to receive leaked information than to know that someone's drive was formatted.
If we know the 20 IPs, why not just put a version of the uninstall virus on each one? Modifed to mitigate the other problems it's caused...
What they mean by not keeping logs is logs of who READ an article, not who wrote it.
Most articles posted to usenet have the complete chain of every machine that forwarded the message on its path to you right there in the headers.