The Origin Of Sobig

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

Methods used to obfuscate worm code

How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?

Re:Methods used to obfuscate worm code

Actually, the IP addresses were in the code. They were just encrypted/encoded. The encryption wasn't the best, but because of the amount of un-optimized code, it was difficult to get through the code. There was just so much code to go through.

I work for an antivirus vendor, and it took me a total of almost 5 hours to decrypt the IP addresses. Once I figured out what the worm needed to decrypt the IP addresses, I ran it in a debugger and changed the registers at the right locations. Then I just ran the worm and got the IP addresses from a network sniffer (if the first IP doesn't respond in X many seconds, the worm tries the next one and so on).

Sorry for posting anon, but I felt it was better for this post.

Another day, another worm

[KingDaveRa]

These worms amaze and worry me all at once. They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned. Its major shock-horror time when one happens. That's not to say people should take them lightly though.

They worry me because of the fact they do all the above. These things are just a little power trip for all concerned. Microsoft's latest idea of forcing Windows Update could stop this - but only with the new versions of windows. We're going to have older versions kicking around for years to come.

Ultimately, could Microsoft be blamed for these viruses? After all, if they didn't miss these bugs, the viruses wouldn't have a mechanism to run on. But should we blame the guys producing Apache when a flaw is found in that? Personally, I think its unfair to blame MS for all of this.

Re:Another day, another worm

Yes, perhaps people could actually start blaming those people who actually write the virii or worms. Wouldn't that be a novel concept.
"But M$ is baaaaaaaad! If they wrote better programming, it wouldn't happen! *fume fume*"
Right. And if people built better houses/cars, we'd never have break-ins. There will always be overlooked security holes. No matter what you do to lock them, people will find more and use them in a destructive manner. Lock your front door and a burglar will pick the lock. Build a better lock and whoops! You forgot to lock the window.
Lock the window and the burglar breaks it instead. Get unbreakable glass and the burglar finds more devious ways in. Is it foolish to leave your house unlocked while on vacation? Most certainly. But anyone taking something from your house is still a thief and is ultimately responsible for stealing.

Re:Another day, another worm

[dhwebb]

I agree with you that SoBig isn't a security hole in MS's code, but I like the "Open from here" features. You said that you should have to save to disk, mark executable, then run it. Guess what, if that's how it was then people would do that and still get the worm/virus. For some reason, end-users have to look at everything that comes through their inbox. How many people do you know that run linux as root because it's easier, and even though they know they shouldn't. Seriously, I know some very smart people, and they are guilty of it and say, "You just gotta be a little more careful."

That's they whole prevention of this kind of thing, have updated antivirus defs, know what your opening (NOT what the email says either), and just because it came from your mom doesn't mean:
a. she's not immune from worms
b. it actually came from her

But amazingly, you tell an EU this and they just keep doing it and acting such the victim when they actually get infected. I actually had an EU call me over to ask me about an e-mail that actually had SoBig on Thursday. I told her not to open it because it was a virus, well she looks at me and says, "Oh don't worry, it doesn't do anything watch." And believe it or not, she sat their and opened the email and double-clicked the attachment to show me it didn't do anything. Just amazing.

Correction

[idiotnot]

Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.

The porn site moneymaking scheme?

[Rkane]

I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.

Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!

the perfect solution was missed. not too late!

[goombah99]

why not put the virus fixing script on the 19 computers, plus some choice words about MS security and the need to patch.

IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix

Re:the perfect solution was missed. not too late!

[rusty0101]

That's one of the perpetual fights going on. The two sides are the administrators who are tired of the fact that there are all too many systems with poor adminstration being done which happen to also be on the internet, vs. the administrators who think that if someone did this to them that they would be out of a job for happening to have poor security. (I happen to believe that those adminstrators who do have this happen to them should be out of a job for poor security, but that's a different matter.)

I think that the worst case situation would be that a security engineer finds a flaw and uses an exploit of that flaw to patch all systems against the flaw, then announces to Microsoft that the flaw existed, here is the exploit, here is the fix, and oh, by the way, the fix has been applied to nearly every Windows SV on the Net, as well as a few others. The problem then is that Microsoft would have the problem of deciding whether they should sue the security engineer or applaud him.

I think the concern of Microsoft would be whether the fix is worse than the flaw. Since they did not provide it, their own licences do not apply to the patch, which means that nearly every computer with the code installed would effectively be running unlicenced code which Microsoft might find themselves liable for. Especially if there is a flaw in it.

-Rusty

Forced Grid Computing?

[Corpus_Callosum]

They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned.

How long until we see more organized worms that communicate with each other to achieve a goal (such as cracking an RSA key)? It seems that stealthy worms could already be out there, slowly infultrating and lodging themselves into message handlers or whatnot...

BTW: Yes, I do think we can blame MS... Their software does make this stuff possible.

Stupid, Offtopic, Newbie, Question

[CGP314]

But willing to risk the flames for an answer that is not ten pages long.

What's the difference between a worm and a virus?

Re: Damn...

[Black+Parrot]

> But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.

Essentially these have been serving as vaccinations rather than infections, because they're provoking an antibody response that will (should) reduce the impact of a genuinely hostile worm when it finally comes out.

The vaccination isn't completely effective, since so many people obviously aren't hardening their systems, but some are, and the experts are getting a lot of practice at trapping, analyzing, and defusing the worms on a tight schedule. If this had come out a couple of years ago the response might not have been quick enough to shut the 19 sites down.

Still waitin' for the big one, though.

Sobig was created to defeat Bayesian Filters.

[mumblestheclown]

I am so glad this topic came up, because it gives me a chance to propose my pet theory.

As i understand it, SoBig was written by some spammers (this according to something I read a few days ago). If this is true, it only reinforces my belief that the Sobig worm was written for the purpose of weakening Bayesian filtering schemes for spam email, thus making it easier for spammers to send spam mail in the future.

How?

Simple. you are getting sobig emails apparently (but probably not really) from people who you may ordinaly receive ham from. If you (as many of you will) flag the SoBig messages as spam, your bayesian filter will remember that spam comes from trustedfriend@ham.com and lo and behond false positives increase.

Think this is ridiculous? I began out of habit flagging my sobig emails as spam before it dawned on my what i was doing. Yes, my filtes caught the sobig, but i did some tests soon to find exactly the behaviour that i described.

This further underscores the FACT that spam is a SOCIAL, not a technological problem. No bullshit, just good legislation.

I am a small businessperson with a legitimate web based business on the web now for 8 years. Three acounts now receive 4500 spam per day, or roughly the equivalent of one 56k modem whose full time job is to receive spam. While we have followed best practices with email addresses, over 8 years and thouands of customers, these things get around.

Re:Sobig was created to defeat Bayesian Filters.

[mabu]

It's no coincedence that spammers are the most technologically advanced when it comes to propagating unwanted data across the Internet.

I figure some time around 2014 the authorities will identify this connection.

effective virus

[dd]

They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.

But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.

It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.

I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.

I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?

Re:effective virus

[bluGill]

I just did that in fact. I sent an email that contained only attachments, no text. I have one of those camera phones, and I took an interesting picture that I sent to some people I know who would be interested. Since writing text is hard on a cell phone I put in a subject that didn't say much, with some attachments. I'm hoping that it is enough for those who care to open the attachments. Since they are .jpg pictures that shouldn't be a problem to view them, and because they are from me, they might be looked at.

Unfortunatly I know for a fact that some spammers have used my email address as the from address (without my permission of course), so I can no longer be sure that attachments from me that look so much like spam will really be seen.

It's NOT too late.

[Stephen+Samuel]

The viruses will be 'calling home' every Friday and Sunday for the next few weeks. There's still lots of time to install such scripts.

If nothing else, put together a script that will log the IPs of machines that connect for further instructions and send a message to their responsible ISP asking them to have the users clean up their system.

I"ve already got a prototype set of scripts if anybody's intersted.

My anti-virus kicks in before SpamAssassin.

[Population]

At work, the mail is scanned for viruses first, then it is handed off for classification as ham or spam.

Anyone who bothers to send a virus through a spam filter deserves whatever he gets.

Re:Instructions to cure worm.

[Guppy06]

What happens if I block outbound NTP requests?

Re:Nobody seems to care.

At some point, all software should be vetted for buffer overflows and certified by a trusted entity before being permitted for use on an open network. Only then can we stem the tide of attacks on our greatest electronic resource from these malcontents.

Are you trolling, or do you not realize that you've just advocated the elimination of free software, both as in beer and in speech?

Interesting!

[Cock+Cockwood]

Could that expiration date (Sept. 10) have been chosen out of sheer respect for the incident that happened on September 11, 2001?

Quit using C/C++, lose the buffer overflows

[garyebickford]

Folks blame Microsoft for their failures to prevent the bugs that allow these virii and worms, and I don't disagree. However, there is a deeper root cause. C and C++ are poor tools for any programming above the level of device driver (and perhaps compiler construction). "Programming without a Net", indeed!! (sorry, couldn't find the original of that quote.)

Programming in C/C++ is directly equivalent to having to get out of your car to check the lugnuts at every red light. I mean - buffer overflows? Segfaults? Library conflicts? This is the stuff of the Dark Ages!! (with the possible exception of the libraries...) If Microsoft (along with everyone else) worked in an actually productive environment, these types of errors would be impossible in nearly all cases. (Of course, I'm not saying bugs in general would be impossible...)

I was fortunately able to work entirely without C for the last 10 years or so, and managed to go the entire time without a segfault, and was easily 10 times as productive as I ever have been in C. (Using myself as an example removes any programmer skill issue - one can presume same level, both cases.) This included some large projects, including a complete web-enabled GIS system with live maps and integration with corporate inventory & personnel databases.

Recently I had to return to the C++ environment, and was astonished at how painful, and inefficient the process is. And, of course, code written for one linux platform had to be modified for another, and then again for Solaris. In a simple 300 line program there is no common version that works on all three platforms, even though all used GCC. So I'm now faced with the prospect of building and testing three versions simultaneously or going through the meta-agony of setting up an autoconf build (tho I admire autoconf greatly - autoconf is arguably a key factor in the success of open source.)

And the various IDEs (for pretty much any language) are just glorified outliners, not engineering tools and certainly not CAD in any useful sense of the word. It is time for software to become engineering. Imagine designing a nuclear plant entirely using text - no drawings, no CAD, no piping analysis, no dynamic stress analysis. A large programming project has a similar complexity, yet we are still stuck writing prose - this is software literature, not software engineering! CAD has transformed every engineering discipline except one. Why do we insist on remaining stuck in the Dark Ages?

Re:Quit using C/C++, lose the buffer overflows

[garyebickford]

Yes, let's program in a higher level language so we can inherent all the crappy code libraries of the OS. Let's spend half our lives doing tech support for erroneous systems that we're dependent upon.

My point exactly - All those 'crappy code libraries' are written in C, which means (effectively) that every other language has to support the C libraries - all 4,321 versions. And, surprise!! - we're spending half our lives doing tech support for systems whose errors are Largely due to the problems of C!

C/C++ can be more portable than any other language. If you're having trouble making it portable, don't blame the language.


Compiler portability via bootstrapping was, in 1972, C's really big new innovation. Other languages were more portable than C once the compiler was ported, but they were generally not good languages for building compilers (LISP, APL, ALGOL, maybe even FORTRAN come to mind.) That was then, this is now. IIRC it was Dennis Ritchie who described C as a "structure PDP-11 Macro Assembler". Some argue that C's major advantage is its stupidity - almost all the functionality is in the libraries.

If you haven't had a need to use C before, that's good for you. You're probably not developing applications that need this low level language so don't compare apples to oranges and go back to diddling your non-normalized corporate database.

(Ad hominem attacks are boring.) As I pointed out, C may have a purpose writing device drivers, although even that is arguable - Burroughs was writing hardware descriptions in (IIRC) Pascal as far back as 1980, and you'll note that Intel doesn't use C to describe the Pentium logic - arguably low level programming. And again, you make my point. Anything higher level than device drivers (kernels? maybe, maybe not) is out of C's problem domain.

At present the typical labor cost to build and maintain nearly any system is two orders of magnitude larger than the cost of the hardware it runs on. If the loaded cost of a programmer is $100/hour then a program that takes one day to write is more expensive than the processor it will run on, and every minute chasing down a fencepost error costs $1.67 (Pascal and Algol for just two examples, prevented fenceposts as early as 1968. Spending an hour trying to decipher stupid compiler-library mismatches borders on unethical abuse of resources.

The real question is, why do we still think of programming in terms of language? This shows a presupposition that literature is programming. It may be, but it's certainly not engineering. As long as we're writing prose, we're not doing engineering.

It is fairly obvious to me that the entire worldview of the software community is presently broken. Grace Hopper et al developed COBOL to allow 'nonprogrammers' to write programs. That was in the late 1950's. What progress has occurred since then? Why aren't we drawing our programs? Why don't we run the graphic model through a dynamic dataflow, bandwidth and timing analysis? Why is it up to us to manually tune the literature to support multiple processors?

The plain fact is that I've watched the nonprogress of software over the last 20+ years, and it's nearly all a rehash of old stuff. The latest, greatest software engineering discipline as taught at the local university is unchanged from the method I used in 1978. We're designing jets for Boeing, using the software equivalent of a Model T.

Re:Idiots.

[cperciva]

Certain subject lines are going to be more effective at spreading the worm; and which lines are most effective will vary depending upon the people involved (eg, in France, subject lines which are in French will probably be more effective).

Consider a mailing worm which has a 99% chance of re-using its "parent's" subject line, and a 1% chance of using a new subject line, randomly chosen from the host's mail spool. The "bad" subject lines will rapidly die out, since nobody will be fooled by them, while the "good" subject lines will spread (at 99% of the normal rate). Survival of the fittest, applied to subject lines of email worms.

Even better, when the virus "mutates" (the 1% chance of picking a new subject line), it will pick a new subject line which is appropriate to the culture in which it finds itself.

Redirect to a porn site? Yeah, right.

[Stormbringer]

My guess is that the virus-writer, realizing from the online news that his/her precious 20 IP numbers were being decoded and chased down, went around to all of those machines that were still online and switched in that porn-site target, to avoid disclosing further strategy.

With a lot of luck, maybe forensics on the first few machines taken offline will yield the real download address, and we can see what that clown was really up to.

Re:No Problems Here

I dont have any friends either, but i have a website to sell a shareware program i wrote.. and it happens to be popular so lots of people have my page in their IE cache, which sobig uses to harvest addresses.. so i get about 200 sobigs every few hours (well was, it seems to have died down now)

Re:Damn...

[carsont]

I realize you're probably not entirely serious, but this is definitely the wrong attitude. The flood of virus warnings and bounces caused by Sobig, not to mention all the machines knocked off the Internet by Blaster, shows that a horde of hopelessly insecure machines on the Internet are dangerous to everyone, including those of us with some common sense about security. If one acknowledges that spam costs time and money to deal with, then Sobig is damaging even people who have gone completely uninfected - the virus messages and bounces are every bit as annoying and numerous as spam, albeit easier to filter.

At any rate, although it would be nice to see businesses move away from Windows after this or the next MS "trustworthy computing" fiasco, I doubt it will happen. In my experience, anyway, the MCSE types will probably be more likely to shell out big bucks for a mail filter on their Exchange server (you know, the ones generating all the "YOUR MESSAGE CONTAINS A VIRUS" warnings sent to addresses that Sobig spoofed) than to switch from Windows or even patch it more often. One can always hope, though...

Anyway, even if everyone switched to real OSes, most of them have their share of security problems, too. These types of virus epidemics will probably still be a danger until either the majority of people get a clue about security, or until the majority of OS vendors get a clue about designing systems that are secure by default so the users don't have to work quite as hard to make and keep them safe.

Re:What a nice guy though

Yeah, but what you're missing is that F expires on September 10th, 2003.

Which means G, the one with the yet more freakin' evil payload, is probably set to go live... ooh, sometime around the 11th... uh-oh.

Expiring the worm is deliberate, so that different versions of the worm don't interfere with each other much.

We got lucky, or maybe not: the author realised what was happening, reads the right lists (or spies on them, heh), and decided that he'd rather leave it to the backup payload - the update url was simply a random porn site, one of the decoys, rather than a compromised webpage containing the latest version of his second-stage rootkit/trojan/proxy, Lala.

So we don't know what his latest surprise would have been. There's been too much attention - he's not going to spring it. He - let's be honest here, they - want a low-profile proxy network, quietly removing the worm after deployment, to anonymise his compromises, do some identity theft, mail some spam (they're EVIL, remember).

Now, this stolen credit card was almost certainly stolen with the keylogger in the previous trojan cascade of Sobig.E, so... well, that pretty much fucks things up as far as traceability goes, same for the proxy servers that the authors will have been using to cover their tracks.

Disclaimer: I don't *know* this, but based on what disassembly I've done, what I've read, and previous versions, it seems very, very likely. He might have been planning something else, but I suspect all this publicity derailed his plans for quiet world domination.

Re:Idiots.

[ewen]

Come on, if you're going to write a worm, do it right.

I think it's pretty obvious that this was a test of a few things:

• It was a test of the encryption of the virus executable to see how hard it would be for anti-virus vendors and law enforcement to decipher it (conclusion: they've nearly got it hard enough; law enforcement still don't know exactly what it does).
• It was test of how many next-stage sites would be needed in order to ensure that they didn't all get shut down before they were needed (conclusion: 20 is enough (they only shut down 19), 30 would be plenty it seems)
• It was a test of how quickly it could spread just relying on user gulliability to get it in the door (conclusion: real quick, I've been seeing 1000+ copies (well, attempts) per day from some IPs, and more than 3000 copies (well, attempts) per day in total)

So next time (and the speculation seems to be next time will be the day after SoBig.F expires on 10 September) will presumably have learnt from the results of these tests.

Oh, and it wouldn't surprise me if next time is a Warhol Worm. I'm guessing they've collected up millions of zombies this time around.

So, yes, this time around it's easy to filter, and it's really only the useless virus notification and other bounce backs which are annoying.

Please do not send virus notifications for any worm or virus which is known to forge email addresses.

But don't expect it to be so easy next time.

Ewen

"Traced the Origin" ? Not Really.

[murr]

Unfortunately, the headlines seem to vastly overstate the success of the investigation so far. "Tracing" the virus to a hacked computer and a stolen credit card does not really establish the real "Origin" of that virus.

I'll be satisfied with the investigation when I see a picture of the person who wrote it (preferably in a body bag, with the fingernails ripped out & a broom handle sticking from his/her ass).

Why install proxies and not mail servers?

So some of these infected machines have had proxies installed so that the people running the show can whore them out to spammers. They essentially gain the ability to resell access to computers that are infected. Cute.

Open proxies let a spammer connect in and use it as a puppet to create a TCP connection that's essentially anonymous. They connect to it, it connects to the victim's machine, and they pull the strings to make it deliver mail for them. That's simple enough.

My question is: why is it installing a proxy and not something more like a mail server? I'm sure the spammer would much rather connect to the compromised box, spew out the recipients and data, then disconnect. Let the infected system worry about connecting to the mail exchangers of the recipients. That leaves the spammers free to do other things rather than babysitting all those proxied TCP connections.

I guess these guys only know one thing: "we want more proxies!", and they never actually stop to think about what they're really doing. Duh.

Easynews privacy policy...

[sweet+'n+sour]

How did the FBI get the ip address of the computer that uploaded the virus when the privacy policy for easynews specifically states that is should be impossible for such a thing to happen:

We do not keep HTTP access logs
We do not keep NNTP access logs
We do not use IP addresses to link to personally identifiable information. IP addresses are used for administrative purposes only to ensure the Web site is running smoothly.
Here's a link to the complete policy: Privacy Policy

I Love You runs on RH 7.3/KDE

[BigBlockMopar]

Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.

Linux X applications by and large aren't as stable as Windows shareware (ie. KMail silently dies when the disk is full, etc.). The Linux kernel *is* crashable - try hot-swapping an ISA card in an old clunker. [grin]

As for worms, well, once on my KDE box, I clicked on a virus while I was showing off Linux to a friend. "Look at how immune I am to e-mail virii... [click-click]... Oh shit... Look at how well Windows applications are supported!"

Red Hat 7.3, shipping with Windows binaries associated to Wine. Yup, I got my Linux box infected with a Windows e-mail virus. Dangerous default file associations are not a problem exclusive to Windows, and it's only a matter of popularity before e-mail virii are being written to exploit bugs in Linux apps.

Post-mortem

[JohnyDog]

In the past, there was a spammer which used our domain's name as fake From: header to send some ammounts of spam - he was shutted down, but that fake mailadres remained in thousands computers. Then came the Sobig.F, digged for adresses, and now we're getting about 2000 hits per hour from various MXs trying to deliver Sobig to this adress. Few days ago i thought that spamfilters could be definitive solution to spam. Well, not really.