The Origin Of Sobig

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

Methods used to obfuscate worm code

How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?

Correction

[idiotnot]

Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.

The porn site moneymaking scheme?

[Rkane]

I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.

Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!

the perfect solution was missed. not too late!

[goombah99]

why not put the virus fixing script on the 19 computers, plus some choice words about MS security and the need to patch.

IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix

effective virus

[dd]

They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.

But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.

It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.

I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.

I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?

Redirect to a porn site? Yeah, right.

[Stormbringer]

My guess is that the virus-writer, realizing from the online news that his/her precious 20 IP numbers were being decoded and chased down, went around to all of those machines that were still online and switched in that porn-site target, to avoid disclosing further strategy.

With a lot of luck, maybe forensics on the first few machines taken offline will yield the real download address, and we can see what that clown was really up to.

Re:What a nice guy though

Yeah, but what you're missing is that F expires on September 10th, 2003.

Which means G, the one with the yet more freakin' evil payload, is probably set to go live... ooh, sometime around the 11th... uh-oh.

Expiring the worm is deliberate, so that different versions of the worm don't interfere with each other much.

We got lucky, or maybe not: the author realised what was happening, reads the right lists (or spies on them, heh), and decided that he'd rather leave it to the backup payload - the update url was simply a random porn site, one of the decoys, rather than a compromised webpage containing the latest version of his second-stage rootkit/trojan/proxy, Lala.

So we don't know what his latest surprise would have been. There's been too much attention - he's not going to spring it. He - let's be honest here, they - want a low-profile proxy network, quietly removing the worm after deployment, to anonymise his compromises, do some identity theft, mail some spam (they're EVIL, remember).

Now, this stolen credit card was almost certainly stolen with the keylogger in the previous trojan cascade of Sobig.E, so... well, that pretty much fucks things up as far as traceability goes, same for the proxy servers that the authors will have been using to cover their tracks.

Disclaimer: I don't *know* this, but based on what disassembly I've done, what I've read, and previous versions, it seems very, very likely. He might have been planning something else, but I suspect all this publicity derailed his plans for quiet world domination.

Easynews privacy policy...

[sweet+'n+sour]

How did the FBI get the ip address of the computer that uploaded the virus when the privacy policy for easynews specifically states that is should be impossible for such a thing to happen:

We do not keep HTTP access logs
We do not keep NNTP access logs
We do not use IP addresses to link to personally identifiable information. IP addresses are used for administrative purposes only to ensure the Web site is running smoothly.
Here's a link to the complete policy: Privacy Policy

I Love You runs on RH 7.3/KDE

[BigBlockMopar]

Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.

Linux X applications by and large aren't as stable as Windows shareware (ie. KMail silently dies when the disk is full, etc.). The Linux kernel *is* crashable - try hot-swapping an ISA card in an old clunker. [grin]

As for worms, well, once on my KDE box, I clicked on a virus while I was showing off Linux to a friend. "Look at how immune I am to e-mail virii... [click-click]... Oh shit... Look at how well Windows applications are supported!"

Red Hat 7.3, shipping with Windows binaries associated to Wine. Yup, I got my Linux box infected with a Windows e-mail virus. Dangerous default file associations are not a problem exclusive to Windows, and it's only a matter of popularity before e-mail virii are being written to exploit bugs in Linux apps.