Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Origin Of Sobig (And Its Next Phase)

Posted by timothy on from the 5-percent-is-plenty dept.

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

3 of 500 comments (clear)

  1. Next time by xijix · · Score: 0, Redundant

    Well....next time it will do something really bad, I swear!

  2. Re:Another day, another worm by justinburt · · Score: 0, Redundant



    Ultimately, could Microsoft be blamed for these viruses?

    I have an idea I haven't seen mentioned elsewhere: perhaps the virus writers should be blamed for these viruses.

    Justin

  3. Re:Methods used to obfuscate worm code by Erasmus+Darwin · · Score: 0, Redundant
    "But whoever wrote this virus will no doubt learn from this, which was likely the whole point of the exercise, and do something even sneakier, or just bigger (more than 20 hosts), next time."

    According to the Symantec write-up, the worm had at least one more trick up its sleeve with regard to the 20 hosts. It seems that if an infected machine receives a properly signed packet on UDP ports 995-999, it'll update the list of 20 hosts.

    Of course the trick is finding a way to get that update out to all the infected machines. But really, all the virus writer has to do is update one machine (say by spamming a few IP ranges with likely victims *cough*homeDSLusers*cough*). The updated IP list will point to hosts that refer the infected machine to download an executable that cause the infected machine to start spamming out the master list update to random IP addresses. After that, the update should spread similar to a typical non-email network worm.