Slashdot Mirror
The Origin Of Sobig (And Its Next Phase)
MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.
Please see the attached file for details.
Visualize the world of wine
An expiration date was actually coded into the worm? Seems pretty ironic.
How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?
These worms amaze and worry me all at once. They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned. Its major shock-horror time when one happens. That's not to say people should take them lightly though.
They worry me because of the fact they do all the above. These things are just a little power trip for all concerned. Microsoft's latest idea of forcing Windows Update could stop this - but only with the new versions of windows. We're going to have older versions kicking around for years to come.
Ultimately, could Microsoft be blamed for these viruses? After all, if they didn't miss these bugs, the viruses wouldn't have a mechanism to run on. But should we blame the guys producing Apache when a flaw is found in that? Personally, I think its unfair to blame MS for all of this.
Am I the only one who's a little bummed that this virus may have been stopped dead in it's tracks here? I mean, my inbox got slammed with crap just like everyone else's, but because nearly all of my systems are running relatively secure operating systems, I've just kinda chuckle each time another dozen mesages shows up automatically routed to my "Junk/virii" folder.
It is pure, gleeful schadenfeude for me to think of all the hapless PHBs and MSCSE CIOs who are finally being given a little hint as to just how vulnerable they've left their companies. In the short term yes, many people will be inconvenienced and possibly some critical systems knocked out. But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.
Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.
I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.
Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!
Celebrate Steak and a Blowjob Day!
How long till the straight marketeers catch on with worms to move hits over their sites?
IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix
Some drink at the fountain of knowledge. Others just gargle.
They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned.
How long until we see more organized worms that communicate with each other to achieve a goal (such as cracking an RSA key)? It seems that stealthy worms could already be out there, slowly infultrating and lodging themselves into message handlers or whatnot...
BTW: Yes, I do think we can blame MS... Their software does make this stuff possible.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
But willing to risk the flames for an answer that is not ten pages long.
What's the difference between a worm and a virus?
Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.
Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.
This was not written by a script kiddie.
John.
http://wwwi.reuters.com/images/sobig_virus_graphic .gif is a really stupid diagram that isnt correct and is ambiguos probably causing many misconceptions in cnet readers and reuters readers.
The Television Wiki
Its called "W32/SitePostedOnSlashdot"
It's been a busy week. I see a lot of people confusing the different worms/viruses running around.
SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.
Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.
Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.
Come on, if you're going to write a worm, do it right.
Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who infected you, and trade connections randomly).
Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.
Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).
In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.
Tarsnap: Online backups for the truly paranoid
I don't have any friends so I don't really get any e-mail.
As i understand it, SoBig was written by some spammers (this according to something I read a few days ago). If this is true, it only reinforces my belief that the Sobig worm was written for the purpose of weakening Bayesian filtering schemes for spam email, thus making it easier for spammers to send spam mail in the future.
How?
Simple. you are getting sobig emails apparently (but probably not really) from people who you may ordinaly receive ham from. If you (as many of you will) flag the SoBig messages as spam, your bayesian filter will remember that spam comes from trustedfriend@ham.com and lo and behond false positives increase.
Think this is ridiculous? I began out of habit flagging my sobig emails as spam before it dawned on my what i was doing. Yes, my filtes caught the sobig, but i did some tests soon to find exactly the behaviour that i described.
This further underscores the FACT that spam is a SOCIAL, not a technological problem. No bullshit, just good legislation.
I am a small businessperson with a legitimate web based business on the web now for 8 years. Three acounts now receive 4500 spam per day, or roughly the equivalent of one 56k modem whose full time job is to receive spam. While we have followed best practices with email addresses, over 8 years and thouands of customers, these things get around.
They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.
But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.
It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.
I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.
I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?
If nothing else, put together a script that will log the IPs of machines that connect for further instructions and send a message to their responsible ISP asking them to have the users clean up their system.
I"ve already got a prototype set of scripts if anybody's intersted.
Free Software: Like love, it grows best when given away.
This is why worms need to be open source. Proprietary worms do a disservice to the worm community!
Which porn site was affected? I need to find out for er... damage control, yeah!
Hate me!
A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.
There's a good answer on Broadband Report Forum, or you could try Google.
Who said Freedom was Fair?
OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments.
So if this gets worse and worse, and hypothetically more people start running linux or mac or whatever as their desktop OS (which I think could happen in dribs and drabs now -- a shitload of folks I know HATE microsoft right now), what's to stop them from ignoring system security all over again? You have the whole Lindows run-as-root thing still, for example. I know there aren't nearly as many worms and shit written to exploit non-MS OS's, but that doesn't mean folks won't start, and I'd just like to know what would/could happen, and what exploits would then be available, if they do.
I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.
Don't put salt in your eyes.
No, actually the mailservers at vt.edu scan for virii, they flagged it and deleted the attachment. I ran FixSobig-F.exe just to make sure, virus free.
Visualize the world of wine
At work, the mail is scanned for viruses first, then it is handed off for classification as ham or spam.
Anyone who bothers to send a virus through a spam filter deserves whatever he gets.
What happens if I block outbound NTP requests?
Nice spam, but I would argue that those Boeing 747s did not in fact bring the nation to it's knees. It just pissed off some drunken rednecks and gave them an excuse to steal the rest of the worlds oil and call anyone against their plot of world domination an unpatriotic yankee.
Visualize the world of wine
I was hoping there'd be a few more good viruses laying about prepairing to nail other windows systems. Give CEO's a month or two of grief and they'll begin to see it the linux way.
We'll never know what the hackers true intent was, however. It's suspicious that blaster and the sobig virus were thrown out almost one right after the other. It all may be a distraction. For all we know there could be another virus lurking around infecting machines slowly, 1 by 1 until a doomsday date at which they deliver their payload.
Candy-Coated Knowledge
Folks blame Microsoft for their failures to prevent the bugs that allow these virii and worms, and I don't disagree. However, there is a deeper root cause. C and C++ are poor tools for any programming above the level of device driver (and perhaps compiler construction). "Programming without a Net", indeed!! (sorry, couldn't find the original of that quote.)
Programming in C/C++ is directly equivalent to having to get out of your car to check the lugnuts at every red light. I mean - buffer overflows? Segfaults? Library conflicts? This is the stuff of the Dark Ages!! (with the possible exception of the libraries...) If Microsoft (along with everyone else) worked in an actually productive environment, these types of errors would be impossible in nearly all cases. (Of course, I'm not saying bugs in general would be impossible...)
I was fortunately able to work entirely without C for the last 10 years or so, and managed to go the entire time without a segfault, and was easily 10 times as productive as I ever have been in C. (Using myself as an example removes any programmer skill issue - one can presume same level, both cases.) This included some large projects, including a complete web-enabled GIS system with live maps and integration with corporate inventory & personnel databases.
Recently I had to return to the C++ environment, and was astonished at how painful, and inefficient the process is. And, of course, code written for one linux platform had to be modified for another, and then again for Solaris. In a simple 300 line program there is no common version that works on all three platforms, even though all used GCC. So I'm now faced with the prospect of building and testing three versions simultaneously or going through the meta-agony of setting up an autoconf build (tho I admire autoconf greatly - autoconf is arguably a key factor in the success of open source.)
And the various IDEs (for pretty much any language) are just glorified outliners, not engineering tools and certainly not CAD in any useful sense of the word. It is time for software to become engineering. Imagine designing a nuclear plant entirely using text - no drawings, no CAD, no piping analysis, no dynamic stress analysis. A large programming project has a similar complexity, yet we are still stuck writing prose - this is software literature, not software engineering! CAD has transformed every engineering discipline except one. Why do we insist on remaining stuck in the Dark Ages?
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Admit it.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
hehe- Couldn't resist: Today's userfriendly strip is perfect :)
Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)
The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.
Perhaps that was it???
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
My guess is that the virus-writer, realizing from the online news that his/her precious 20 IP numbers were being decoded and chased down, went around to all of those machines that were still online and switched in that porn-site target, to avoid disclosing further strategy.
With a lot of luck, maybe forensics on the first few machines taken offline will yield the real download address, and we can see what that clown was really up to.
> Is why any virus writers ever get caught. [...] they simply have to go down to their local library and/or cyber cafe wearing a wig and makeup, stick the floppy in, click, then leave, what's the problem?
I used to do that, but I got tired of having all the geeks try to pick me up while I was there.
Sheesh, evil *and* a jerk. -- Jade
Ok, I may be falling into a trolling trap, but take a look at the 4th amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures How is it unreasonable to search the computer/network of an individual who is suspected it of nearly bringing the windows community to its knees? If you didn't write any malware then you have nothing to hide - its not unreasonable to eliminate someone from a case by proving that they had no part in it is it?
This was not written by a script kiddie.
I'm inclined to agree. It seems like a lot of effort to go to, including the use of a stolen credit card. However, why simply download a pron-link in the second stage, and not something more harmful? Why only 20 computers, and not 1000? This seems more like a proof-of-concept--I think SoBig.G is going to be that much worse. Maybe it'll be released the day after this one expires--9/11.
--
$tar -xvf
He should have had this virus download a copy of the linux kernel from the SCO web site and save it to the system. SCO would have loved this as they could have then sold a Unix Ware license to the entire world. Oh hell we could have even shown that SCO infact distributed the linux kernel to every PC in the world.
Got Code?
Although google doesnt archive those groups, they did archive this message posted by the virus author in alt.alt.test 9 minutes before the virus was posted elsewhere.
(You can compare to the message included here from easynews)
(2,3-Benzopyrrole)
Those that did were merely redirected to a porn site, no damage done.
No damage done! My dear poor mother got redirected to goatse.cx! The psychiatry bills alone will cost a quarter of a million dollars.
A Government Is a Body of People, Usually Notably Ungoverned
Yeah, right.
Why does Microsoft security and Windows Update keep coming up in this? This is an e-mail worm. People keep running the damned attachment like morons. It's their fault. Hell, my ISP doesn't even let .scr or any other sorts of files get through without specific permission from the user. Outlook won't run executables unless I tell it to.
"Sufferin' succotash."
Wicked?? Is this virus writer from Boston or 1986?
You say self-important egomaniac like it's a bad thing. - Peter Dragon
How did the FBI get the ip address of the computer that uploaded the virus when the privacy policy for easynews specifically states that is should be impossible for such a thing to happen:
We do not keep HTTP access logs
We do not keep NNTP access logs
We do not use IP addresses to link to personally identifiable information. IP addresses are used for administrative purposes only to ensure the Web site is running smoothly.
Here's a link to the complete policy: Privacy Policy
Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.
Linux X applications by and large aren't as stable as Windows shareware (ie. KMail silently dies when the disk is full, etc.). The Linux kernel *is* crashable - try hot-swapping an ISA card in an old clunker. [grin]
As for worms, well, once on my KDE box, I clicked on a virus while I was showing off Linux to a friend. "Look at how immune I am to e-mail virii... [click-click]... Oh shit... Look at how well Windows applications are supported!"
Red Hat 7.3, shipping with Windows binaries associated to Wine. Yup, I got my Linux box infected with a Windows e-mail virus. Dangerous default file associations are not a problem exclusive to Windows, and it's only a matter of popularity before e-mail virii are being written to exploit bugs in Linux apps.
Fire and Meat. Yummy.
A formatted computer is a dead computer (and an un-infected computer when it comes back to service, probably with current anti-virus software). An infected computer is a cracker proxy, a spam relay, a DDOS slave.
Also, for a lot of users, it's more damaging to leak information than to destroy the computer. Think of all the bank, credit card, and brokerage passwords that are available by logging the keystream. And, more relevantly, it's far more profitable to the virus writer to receive leaked information than to know that someone's drive was formatted.
Microsoft is producing defective products. The fantasy that the EULA prevents them from being taken to court is all that keeps them from being held responsible for the faulty products they sell. They will stop making defective products when they start having to pay up in legal actions from the bugs and crashes that people endure. Why do people think that an EULA is some magical spell that protects the vendor from the consequences of their actions?
Microsoft also has a history of producing service packs which install more bugs than they fixed. Remember the rule of thumb about even numbered service packs suck? That rule of thumb came from NT4. It holds so strongly that MS won't produce SP2, just things like SP1a.
The real issue is that all these viruses and worms are caused by the operating system monoculture we are stuck with.
If we know the 20 IPs, why not just put a version of the uninstall virus on each one? Modifed to mitigate the other problems it's caused...
What they mean by not keeping logs is logs of who READ an article, not who wrote it.
Most articles posted to usenet have the complete chain of every machine that forwarded the message on its path to you right there in the headers.
In the past, there was a spammer which used our domain's name as fake From: header to send some ammounts of spam - he was shutted down, but that fake mailadres remained in thousands computers. Then came the Sobig.F, digged for adresses, and now we're getting about 2000 hits per hour from various MXs trying to deliver Sobig to this adress. Few days ago i thought that spamfilters could be definitive solution to spam. Well, not really.
People who like this sort of sig will find this the sort of sig they like.