Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Origin Of Sobig (And Its Next Phase)

Posted by timothy on from the 5-percent-is-plenty dept.

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

65 of 500 comments (clear)

  1. Re: Wicked screensaver by JohnGrahamCumming · · Score: 4, Funny

    Please see the attached file for details.

  2. Re: Wicked screensaver by mjmalone · · Score: 4, Funny
    WARNING!!! (from zidane.cc.vt.edu)

    The following message attachments were flagged by the antivirus scanner:

    Attachment [2.2] application.pif, virus infected: W32/Sobig-F. Action taken: deleted
    PWN'D
    --
    Visualize the world of wine
  3. What a nice guy though by Anonymous Coward · · Score: 4, Insightful

    An expiration date was actually coded into the worm? Seems pretty ironic.

    1. Re:What a nice guy though by EpsCylonB · · Score: 5, Funny

      Anyone else think this sounds like a bad hollywood plot ?

      We only have 48 hours to shut down 20 randomn computers or the internet is brought to it's knees.

    2. Re:What a nice guy though by Anonymous Coward · · Score: 5, Interesting

      Yeah, but what you're missing is that F expires on September 10th, 2003.

      Which means G, the one with the yet more freakin' evil payload, is probably set to go live... ooh, sometime around the 11th... uh-oh.

      Expiring the worm is deliberate, so that different versions of the worm don't interfere with each other much.

      We got lucky, or maybe not: the author realised what was happening, reads the right lists (or spies on them, heh), and decided that he'd rather leave it to the backup payload - the update url was simply a random porn site, one of the decoys, rather than a compromised webpage containing the latest version of his second-stage rootkit/trojan/proxy, Lala.

      So we don't know what his latest surprise would have been. There's been too much attention - he's not going to spring it. He - let's be honest here, they - want a low-profile proxy network, quietly removing the worm after deployment, to anonymise his compromises, do some identity theft, mail some spam (they're EVIL, remember).

      Now, this stolen credit card was almost certainly stolen with the keylogger in the previous trojan cascade of Sobig.E, so... well, that pretty much fucks things up as far as traceability goes, same for the proxy servers that the authors will have been using to cover their tracks.

      Disclaimer: I don't *know* this, but based on what disassembly I've done, what I've read, and previous versions, it seems very, very likely. He might have been planning something else, but I suspect all this publicity derailed his plans for quiet world domination.

    3. Re:What a nice guy though by ewen · · Score: 3, Insightful
      An expiration date was actually coded into the worm? Seems pretty ironic.

      Uh, no.

      The expiration date is there because if you're an evil software writer you don't want people running last month's version of your evil software and competing with the All New and Improved version.

      Just basic economics, really.

      Ewen

    4. Re:What a nice guy though by Jugalator · · Score: 3, Informative

      If anyone is intersted, here's a "release history" :-P

      SoBig.A

      - Copies itself over network shares to shared start up folders on other computers.
      - Sends a message to an address on pagers.icq.com.
      - Uses a separate thread to download contents from a specific web site to %windir%\dwn.dat, and later executing it. (later reported to be "Backdoor.Lala")
      - Looks for e-mail addresses to send mails to in the files with these extensions txt, eml, html, htm, dbx, wab.
      - Stores sent messages in the file %Windir%\Sntmls.dat.
      - Uses 4 random subject lines.
      - Uses 4 random attachemenet names.
      - Always uses big@boss.com in the "From" field in the mails sent.
      - Size: 65,536 bytes

      SoBig.B

      Changes from SoBig.A:

      - Always uses support@microsoft.com in the "From" field in the mails sent.
      - Uses 9 random subject lines.
      - Uses 9 random attachemenet names.
      - Uses a deactivation date.
      - Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in various .ini files.
      - Size: 52,898 bytes

      SoBig.C

      Changes from SoBig.B:

      - Always uses bill@microsoft.com in the "From" field in the mails sent.
      - Uses 7 random subject lines.
      - Uses 8 random attachemenet names.
      - Size: ~ 59 KB

      SoBig.D

      Changes from SoBig.C:

      - Very few infections noticed (0-49 listed at Symantec). Changes unknown due to low infection rate.

      SoBig.E

      Changes from SoBig.D:

      - Always uses support@yahoo.com in the "From" field in the mails sent.
      - Uses 18 random subject lines.
      - Uses 5 random attachemenet names.
      - Size: 82,195 bytes (zip file), 86,528 bytes (executable)
      - Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers. This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it. The day of the week must be Monday or Friday. The time of the day must be between 19:00:00 UTC and 23:59:59 UTC. Sobig.E obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port). The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.
      - Sobig.E opens the following ports: 995/udp, 996/udp, 997/udp, 998/udp, 999/udp, and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

      SoBig.F

      Changes from SoBig.E:

      - Size: about 72,000 bytes
      - Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
      - The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server

      --
      Beware: In C++, your friends can see your privates!
  4. Methods used to obfuscate worm code by Anonymous Coward · · Score: 5, Interesting

    How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?

    1. Re:Methods used to obfuscate worm code by Anonymous Coward · · Score: 4, Insightful

      The unknown part is that this virus was set to download and run more code from 20 specific compromised computers mentioned at 3pm yesterday. No one knew what would be in that code until it was actually downloaded. Presumably there was no known remote method to get that code until the deadline either.

      So figuring out what the virus that spread initially did was easy. The only way to figure out what it was going to do next ahead of time was to gain access to one of those 20 computers, and there wasn't a lot of time for that. By blocking 19 of the 20 at their ISPs, at least the next phase was mostly stopped, and turned out to be harmless. But whoever wrote this virus will no doubt learn from this, which was likely the whole point of the exercise, and do something even sneakier, or just bigger (more than 20 hosts), next time. Then eventually when they're confident they can successfully launch an attack of this sort without being blocked, they will launch the REAL attack they've got planned, whatever that is.

    2. Re:Methods used to obfuscate worm code by Anonymous Coward · · Score: 4, Interesting

      Actually, the IP addresses were in the code. They were just encrypted/encoded. The encryption wasn't the best, but because of the amount of un-optimized code, it was difficult to get through the code. There was just so much code to go through.

      I work for an antivirus vendor, and it took me a total of almost 5 hours to decrypt the IP addresses. Once I figured out what the worm needed to decrypt the IP addresses, I ran it in a debugger and changed the registers at the right locations. Then I just ran the worm and got the IP addresses from a network sniffer (if the first IP doesn't respond in X many seconds, the worm tries the next one and so on).

      Sorry for posting anon, but I felt it was better for this post.

  5. Another day, another worm by KingDaveRa · · Score: 4, Interesting

    These worms amaze and worry me all at once. They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned. Its major shock-horror time when one happens. That's not to say people should take them lightly though.

    They worry me because of the fact they do all the above. These things are just a little power trip for all concerned. Microsoft's latest idea of forcing Windows Update could stop this - but only with the new versions of windows. We're going to have older versions kicking around for years to come.

    Ultimately, could Microsoft be blamed for these viruses? After all, if they didn't miss these bugs, the viruses wouldn't have a mechanism to run on. But should we blame the guys producing Apache when a flaw is found in that? Personally, I think its unfair to blame MS for all of this.

    1. Re:Another day, another worm by dhwebb · · Score: 3, Interesting

      I agree with you that SoBig isn't a security hole in MS's code, but I like the "Open from here" features. You said that you should have to save to disk, mark executable, then run it. Guess what, if that's how it was then people would do that and still get the worm/virus. For some reason, end-users have to look at everything that comes through their inbox. How many people do you know that run linux as root because it's easier, and even though they know they shouldn't. Seriously, I know some very smart people, and they are guilty of it and say, "You just gotta be a little more careful."

      That's they whole prevention of this kind of thing, have updated antivirus defs, know what your opening (NOT what the email says either), and just because it came from your mom doesn't mean:
      a. she's not immune from worms
      b. it actually came from her

      But amazingly, you tell an EU this and they just keep doing it and acting such the victim when they actually get infected. I actually had an EU call me over to ask me about an e-mail that actually had SoBig on Thursday. I told her not to open it because it was a virus, well she looks at me and says, "Oh don't worry, it doesn't do anything watch." And believe it or not, she sat their and opened the email and double-clicked the attachment to show me it didn't do anything. Just amazing.

      --
      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    2. Re:Another day, another worm by Anonymous Coward · · Score: 5, Insightful

      Well, if you're just interested in who to blame, then blame the virus/worm writers. They wrote the darn things. But there will always be plenty of virus writers.

      But if you're interested in how to have this kind of thing NOT HAPPEN, which I think is the more important issue for us in the IT field, then the blame falls squarely on microsoft's shoulders.

      Sure, all software has bugs. But Microsoft's software is a little different. It's in 95%+ of the world's computers. They know this, that's their business. Governments use it. Nuclear plants use it. The electric company uses it. Your personal information is stored in it. Your medical history is stored in it. Microsoft has their fingers so deep into businesses around the world.

      Yet they don't do anything particularly special to prevent these worms. They put in the same (or less) effort that the open source folks to find bugs. They sit idly buy when they could easily afford *thousands* of independent code audits. They leave ports open when they could easily ship them closed. They ship a mail client that runs foreign executables. Not off completely, or in a sandbox, or whatever. It is inexcusable that attachments can run as code. This is a bug in the design of the operating system (ANY operating system).

      Microsoft needs to get their head out of the bank vault for about two seconds and realize this is something they *must* do, even if it doesn't mean any new revenue. They have a responsibility to every business out there. Even if you are a FreeBSD + Mac shop you are effected by this.

      It's downright embarassing that a simple bit of code like these worms/viruses can even get out the ethernet port.

      Microsoft, how about innovating a real *solution* to this that *isn't* Palladium? I know it's possible. Have you ever seen qmail or other programs by DJB? Everything is partitioned with simple interfaces between code modules, even if there are bugs, they are ineffective. Do the same in Windows. People will put up with the extra effort eventually, because they are SICK of this shit.

      What really amazes me, is how many people seem to think Microsoft is "doing everything they can". They can do more, a lot more, and they must!

    3. Re:Another day, another worm by k12linux · · Score: 5, Insightful
      start blaming those people who actually write the virii or worms. ... There will always be overlooked security holes. No matter what you do to lock them, people will find more and use them in a destructive manner.

      I just love this type of explanation of why MS is at absolutely ZERO fault for it's security problems. Compare the number of Apache worms/viruses with the number found in IIS. Why are there more in a single year for IIS than for Apache over several years? Why haven't appache worms/viruses brought the Internet to a crawl and hit the newspaper headlines big time?

      Oh yeah.. because MS has such a huge market share making more targets. BZZZ.. Apache holds almost 2 times the market share for active web servers! Could it be that MS's IIS isn't as secure? No.. noo... it's because of hackers. It's all their fault.. Poor MS!

      Lock your front door and a burglar will pick the lock. Build a better lock and whoops! You forgot to lock the window.

      If you are going to use an analogy, try making it fit the facts:

      Builder A builds a LOT of houses. To cut costs and because they truley believe they know best... they use locks from RustyLocks.com. They also use an alarm system from AlarmsAreUs.com. The lock experts and alarm system experts say, "Hey, don't use those.. they have a high risk of being compromised!"

      Builder A argues that they haven't been compromised yet and that they are good enough for the home-buying public. They continue building tons of houses with these parts in place. They sell the homes with a HUGE profit margin and bill them as secure, safe and full of extras your family will love.

      Builder B lets the lock experts design a good lock they think is hard to break. They let the alarm system experts design a good alarm which is hard to bypass. They use these in their houses and find that they don't actually run up costs, but instead lower them. They also put the design of the systems up for public review in case they missed something themselves. They sell the homes for a reasonable price and offer the blueprints and all other design materials to the public in case someone wants to build their own.

      Soon building A's homes start getting broken into. They find a fix for the lock's current problem and offer it for free.. they even offer to install the fix. What they don't do is replace the locks with a better designed one because it's too expensive to. Of course this doesn't fix the security system problems or other problems with the locks. In the mean time they blame the crooks and also everyone who is broken into for not fixing their locks.

      Because the lock and alarm system guidlines from Builder B are availble to any lock or alarm system expert, they are repeatedly reviewed by those who want. There are enough people willing to review because they live in these homes and want to be safe. Maybe they find problems with the locks, maybe they don't. But if they do, the locks are improved and everyone is told.

      Eventually a few of builder B's locks get picked. The lock experts start tearing apart the locks and figure out if fixing them is good enough or if a whole new lock is warranted. Regardless of the answer, they make the new locks available for free with simple instructions on how to replace them.

      In the mean time several more break-ins occur in builder A homes.

      Builder A's reactive actions result in repeated security incidents. The Builder B community team's proactive actions result in occasional but rare security incidents.

      Blame the crooks! Sure, they hold some of the blame, but both builders KNEW the crooks were out there. They both knew the crooks wanted into the houses to get the goodies inside. So, does builder A share any responsibliity? Hmmm... According to your post.. NO.

    4. Re:Another day, another worm by drik00 · · Score: 4, Insightful

      Sorry, but I must disagree here. Althought it probably wasnt a coding error within the product, it was a error in design. They work so hard to throw as many bells and whistles into the application that they overlook the idea that the bells and whistles are the media that malicious individuals will use to cause havoc. If Microsoft wasn't trying to make Outlook do so much needless crap (email scripting), then we wouldnt have these problems. Its along the same lines as giving a car a "feature" that turns out to be deadly in a collision.

      I do hold Microsoft accountable because they tout their own products for being so "user-friendly" while they add no security into the products...if you're going to design an application that a child could use, for God's sakes, don't stop half-way, make sure the user is safe from the very ignorance your product feeds.

      To use the car analogy again, its as if Microsoft has built super-easy to drive cars for all of our parents, grandparents, and kids, but the car explodes upon even the slightest collision.

      Seriously, how can you not blame Microsoft? The "vulnerability" isnt in the code, its in the coders.

      J

      --
      Beer, now there's a temporary solution -- Homer Jay S.
    5. Re:Another day, another worm by shaitand · · Score: 4, Insightful

      Truely it is tragic, and no, if the coders do their best what more can you ask? But Microsoft has continued to produce the most insecure and bug ridden software. If there is a flaw in apache, they are on it in a heartbeat... everything possible is done to prevent security holes.

      The number minor and serious holes in microsoft software which are actively exploited makes it pretty clear. Microsoft basically seems to release software first, and then look for security holes second. Apparently what they are looking for in beta testing is usability bugs that would prevent them from releasing. They are in a hurry to get software to market and leave the looking for holes part for later.

      Apache and other open source software on the other hand tends to run the other way (although anybody can make a project and develop however they please). Look for bugs that cause security problems and system instability first... minor graphic update glitches and such come second.

      In a perfect world both would be ironed out before ever being seen by the public... in the real world I think it's obvious that the open source way is better.

    6. Re:Another day, another worm by dtfinch · · Score: 3, Insightful

      Microsoft security has always been implemented as an afterthought. They write code as quickly as possible, test it under normal use, and release it. Internet Explorer is a good example. Most of the exploits people find are just variations on past exploits, and Microsoft just patches each specific exploit rather than fixing the design flaw that responsible for the whole class of exploits.

      As for all those buffer overflow exploits, most are the result of a conscious decision to use fixed, unchecked buffers in order to save work. You usually see the glaring potential for exploit as you write it but decide not to worry.

      It's understandable that in many projects, it's worth it to allow such vulnerabilities to exist to reduce development time and project complexity, but Microsoft software runs on something like 95% of the desktops in the world, and they repeatedly enable rarely used internet accessible services by default in every version of Windows and generally ignore good safety practices.

      On the bright side, they added stack buffer overflow protection to Visual C++ 7.0, so it's just a matter of them getting most of their code to compile under it, and remembering to enable that feature.

      Security is not as impossible as Microsoft claims. They just never designed their software with it in mind, and occasionally it comes back and hits them in the face. Windows is like a one room house with 16 back doors and only the front door has a lock. If you look at say, OpenBSD, which is completely free and developed on a shoestring budget, it has an almost perfect security record.

    7. Re:Another day, another worm by magores · · Score: 3, Funny

      I blame the the EU that clicks on the virus.

      (Go ahead and make fun of the following thought process...)

      ---Gunsmiths make Guns = MS makes OS
      ---Bulletsmiths make Bullets = Virus writers make viruses
      ---Dumb people look at the bullet through the barrel and pull the trigger = Dumb people click on *.pif, *.scr ...

  6. Damn... by seanadams.com · · Score: 4, Flamebait

    Am I the only one who's a little bummed that this virus may have been stopped dead in it's tracks here? I mean, my inbox got slammed with crap just like everyone else's, but because nearly all of my systems are running relatively secure operating systems, I've just kinda chuckle each time another dozen mesages shows up automatically routed to my "Junk/virii" folder.

    It is pure, gleeful schadenfeude for me to think of all the hapless PHBs and MSCSE CIOs who are finally being given a little hint as to just how vulnerable they've left their companies. In the short term yes, many people will be inconvenienced and possibly some critical systems knocked out. But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.

    1. Re: Damn... by Black+Parrot · · Score: 3, Interesting


      > But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.

      Essentially these have been serving as vaccinations rather than infections, because they're provoking an antibody response that will (should) reduce the impact of a genuinely hostile worm when it finally comes out.

      The vaccination isn't completely effective, since so many people obviously aren't hardening their systems, but some are, and the experts are getting a lot of practice at trapping, analyzing, and defusing the worms on a tight schedule. If this had come out a couple of years ago the response might not have been quick enough to shut the 19 sites down.

      Still waitin' for the big one, though.

      --
      Sheesh, evil *and* a jerk. -- Jade
  7. Correction by idiotnot · · Score: 5, Interesting

    Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.

    1. Re:Correction by MegaFur · · Score: 3, Funny

      Newsman: Next up on our program--when l33t sp33k meets Engrish

      Example: !4ANG3R! A d@n93r0u5 +0y. +h15 +0y 15 b31n9 m@d3 4 +h3 x+r3m3 pr10r1+y +h3 900d luk5. The l1++l3 p@rt wh1ch 5uph0c@+35 when the sharp p@r+ which 93+5 hurt 15 5w@ll0w3d is c0n+@1n3d 93n3r0u5ly. 0n1y the p3r50n wh0 c@n +@k3 r35p0n51b1l1+y by 1+53lph 15 +0 p1@y.

      You may now gibber.

      --
      Furry cows moo and decompress.
  8. The porn site moneymaking scheme? by Rkane · · Score: 5, Interesting

    I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.

    Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!

    --
    Celebrate Steak and a Blowjob Day!
  9. Porn webmasters are always ahead of the curve by mikeophile · · Score: 4, Insightful

    How long till the straight marketeers catch on with worms to move hits over their sites?

  10. the perfect solution was missed. not too late! by goombah99 · · Score: 5, Interesting
    why not put the virus fixing script on the 19 computers, plus some choice words about MS security and the need to patch.

    IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:the perfect solution was missed. not too late! by rusty0101 · · Score: 4, Interesting

      That's one of the perpetual fights going on. The two sides are the administrators who are tired of the fact that there are all too many systems with poor adminstration being done which happen to also be on the internet, vs. the administrators who think that if someone did this to them that they would be out of a job for happening to have poor security. (I happen to believe that those adminstrators who do have this happen to them should be out of a job for poor security, but that's a different matter.)

      I think that the worst case situation would be that a security engineer finds a flaw and uses an exploit of that flaw to patch all systems against the flaw, then announces to Microsoft that the flaw existed, here is the exploit, here is the fix, and oh, by the way, the fix has been applied to nearly every Windows SV on the Net, as well as a few others. The problem then is that Microsoft would have the problem of deciding whether they should sue the security engineer or applaud him.

      I think the concern of Microsoft would be whether the fix is worse than the flaw. Since they did not provide it, their own licences do not apply to the patch, which means that nearly every computer with the code installed would effectively be running unlicenced code which Microsoft might find themselves liable for. Especially if there is a flaw in it.

      -Rusty

      --
      You never know...
  11. Forced Grid Computing? by Corpus_Callosum · · Score: 3, Interesting

    They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned.

    How long until we see more organized worms that communicate with each other to achieve a goal (such as cracking an RSA key)? It seems that stealthy worms could already be out there, slowly infultrating and lodging themselves into message handlers or whatnot...

    BTW: Yes, I do think we can blame MS... Their software does make this stuff possible.

    --
    The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
  12. Stupid, Offtopic, Newbie, Question by CGP314 · · Score: 4, Interesting

    But willing to risk the flames for an answer that is not ten pages long.

    What's the difference between a worm and a virus?

    1. Re:Stupid, Offtopic, Newbie, Question by MyHair · · Score: 3, Funny

      What's the difference between a worm and a virus?

      You see, a virus is what we doctors call
      very very small. So small it could not possibly have made off with a
      whole leg.

  13. Re:Instructions to cure worm. by JohnGrahamCumming · · Score: 5, Informative

    Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.

    Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.

    This was not written by a script kiddie.

    John.

  14. Already exists by Ciderx · · Score: 4, Funny

    Its called "W32/SitePostedOnSlashdot"

  15. To Clarify... by NetJunkie · · Score: 5, Informative

    It's been a busy week. I see a lot of people confusing the different worms/viruses running around.

    SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.

    Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.

    Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.

  16. Idiots. by cperciva · · Score: 5, Insightful

    Come on, if you're going to write a worm, do it right.

    Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who infected you, and trade connections randomly).

    Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.

    Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).

    In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:Idiots. by MyHair · · Score: 3, Funny

      Edit that slightly and send it to Microsoft:
      -----
      Come on, if you're going to write an OS, do it right.

      Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who sued you, and trade alliances randomly).

      Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.

      Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).

      In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.

    2. Re:Idiots. by cperciva · · Score: 4, Interesting

      Certain subject lines are going to be more effective at spreading the worm; and which lines are most effective will vary depending upon the people involved (eg, in France, subject lines which are in French will probably be more effective).

      Consider a mailing worm which has a 99% chance of re-using its "parent's" subject line, and a 1% chance of using a new subject line, randomly chosen from the host's mail spool. The "bad" subject lines will rapidly die out, since nobody will be fooled by them, while the "good" subject lines will spread (at 99% of the normal rate). Survival of the fittest, applied to subject lines of email worms.

      Even better, when the virus "mutates" (the 1% chance of picking a new subject line), it will pick a new subject line which is appropriate to the culture in which it finds itself.

      --
      Tarsnap: Online backups for the truly paranoid
    3. Re:Idiots. by ewen · · Score: 4, Interesting
      Come on, if you're going to write a worm, do it right.

      I think it's pretty obvious that this was a test of a few things:

      • It was a test of the encryption of the virus executable to see how hard it would be for anti-virus vendors and law enforcement to decipher it (conclusion: they've nearly got it hard enough; law enforcement still don't know exactly what it does).
      • It was test of how many next-stage sites would be needed in order to ensure that they didn't all get shut down before they were needed (conclusion: 20 is enough (they only shut down 19), 30 would be plenty it seems)
      • It was a test of how quickly it could spread just relying on user gulliability to get it in the door (conclusion: real quick, I've been seeing 1000+ copies (well, attempts) per day from some IPs, and more than 3000 copies (well, attempts) per day in total)

      So next time (and the speculation seems to be next time will be the day after SoBig.F expires on 10 September) will presumably have learnt from the results of these tests.

      Oh, and it wouldn't surprise me if next time is a Warhol Worm. I'm guessing they've collected up millions of zombies this time around.

      So, yes, this time around it's easy to filter, and it's really only the useless virus notification and other bounce backs which are annoying.

      Please do not send virus notifications for any worm or virus which is known to forge email addresses.

      But don't expect it to be so easy next time.

      Ewen

  17. No Problems Here by Anonymous Coward · · Score: 4, Funny

    I don't have any friends so I don't really get any e-mail.

  18. Sobig was created to defeat Bayesian Filters. by mumblestheclown · · Score: 4, Interesting
    I am so glad this topic came up, because it gives me a chance to propose my pet theory.

    As i understand it, SoBig was written by some spammers (this according to something I read a few days ago). If this is true, it only reinforces my belief that the Sobig worm was written for the purpose of weakening Bayesian filtering schemes for spam email, thus making it easier for spammers to send spam mail in the future.

    How?

    Simple. you are getting sobig emails apparently (but probably not really) from people who you may ordinaly receive ham from. If you (as many of you will) flag the SoBig messages as spam, your bayesian filter will remember that spam comes from trustedfriend@ham.com and lo and behond false positives increase.

    Think this is ridiculous? I began out of habit flagging my sobig emails as spam before it dawned on my what i was doing. Yes, my filtes caught the sobig, but i did some tests soon to find exactly the behaviour that i described.

    This further underscores the FACT that spam is a SOCIAL, not a technological problem. No bullshit, just good legislation.

    I am a small businessperson with a legitimate web based business on the web now for 8 years. Three acounts now receive 4500 spam per day, or roughly the equivalent of one 56k modem whose full time job is to receive spam. While we have followed best practices with email addresses, over 8 years and thouands of customers, these things get around.

    1. Re:Sobig was created to defeat Bayesian Filters. by JohnGrahamCumming · · Score: 3, Informative

      Not sure this makes sense to me. I am running POPFile and it has been capturing SOBIG from the first reclassification I did and I haven't needed to do any more after that (POPFile seems to think the phrase "program cannot run DOS mode" and PIF attachments are spammy). So even if I did poison the corpus with that person's email address it has had little effect.

      Secondly, because SOBIG includes its own SMTP server the header information in each of the mails will not be the same as the genuine header information from your regular correspondents. So POPFile (and other filters) would still see them as different.

      John.

    2. Re:Sobig was created to defeat Bayesian Filters. by joepa · · Score: 3, Funny

      I am a small businessperson[...]

      I received an email a few days ago from someone who says that they can help you with this problem...

    3. Re:Sobig was created to defeat Bayesian Filters. by vondo · · Score: 3, Informative

      Actually, SoBig mails appear to come from people with one degree of separation from me. People who people I know, know. Even with something like SpamAssassin which has "auto" white/black listing this is unlikely to be a problem since the penalty for sending one bad mail among many is low and very few of the mails I get are coming from addresses I recognize, let alone correspond with.

  19. effective virus by dd · · Score: 5, Interesting

    They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.

    But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.

    It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.

    I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.

    I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
    started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?

  20. It's NOT too late. by Stephen+Samuel · · Score: 4, Interesting
    The viruses will be 'calling home' every Friday and Sunday for the next few weeks. There's still lots of time to install such scripts.

    If nothing else, put together a script that will log the IPs of machines that connect for further instructions and send a message to their responsible ISP asking them to have the users clean up their system.

    I"ve already got a prototype set of scripts if anybody's intersted.

    --
    Free Software: Like love, it grows best when given away.
  21. this is why by commodoresloat · · Score: 4, Funny

    This is why worms need to be open source. Proprietary worms do a disservice to the worm community!

    1. Re:this is why by commodoresloat · · Score: 3, Informative

      Actually, the first worms had nothing to do with javascript or ActiveX, and existed long before them.

  22. Worm vs. Virus by jaaron · · Score: 5, Informative

    A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.

    There's a good answer on Broadband Report Forum, or you could try Google.

    --
    Who said Freedom was Fair?
  23. Question by duck+'o+death · · Score: 5, Insightful

    OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments.

    So if this gets worse and worse, and hypothetically more people start running linux or mac or whatever as their desktop OS (which I think could happen in dribs and drabs now -- a shitload of folks I know HATE microsoft right now), what's to stop them from ignoring system security all over again? You have the whole Lindows run-as-root thing still, for example. I know there aren't nearly as many worms and shit written to exploit non-MS OS's, but that doesn't mean folks won't start, and I'd just like to know what would/could happen, and what exploits would then be available, if they do.

    I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.

    --
    Don't put salt in your eyes.
    1. Re:Question by Bin-tec · · Score: 4, Funny

      So, when will us Mac users going to get some excitement with some viruses? I'm kinda bored about clicking on those links that won't do anything.

  24. Quit using C/C++, lose the buffer overflows by garyebickford · · Score: 4, Interesting

    Folks blame Microsoft for their failures to prevent the bugs that allow these virii and worms, and I don't disagree. However, there is a deeper root cause. C and C++ are poor tools for any programming above the level of device driver (and perhaps compiler construction). "Programming without a Net", indeed!! (sorry, couldn't find the original of that quote.)

    Programming in C/C++ is directly equivalent to having to get out of your car to check the lugnuts at every red light. I mean - buffer overflows? Segfaults? Library conflicts? This is the stuff of the Dark Ages!! (with the possible exception of the libraries...) If Microsoft (along with everyone else) worked in an actually productive environment, these types of errors would be impossible in nearly all cases. (Of course, I'm not saying bugs in general would be impossible...)

    I was fortunately able to work entirely without C for the last 10 years or so, and managed to go the entire time without a segfault, and was easily 10 times as productive as I ever have been in C. (Using myself as an example removes any programmer skill issue - one can presume same level, both cases.) This included some large projects, including a complete web-enabled GIS system with live maps and integration with corporate inventory & personnel databases.

    Recently I had to return to the C++ environment, and was astonished at how painful, and inefficient the process is. And, of course, code written for one linux platform had to be modified for another, and then again for Solaris. In a simple 300 line program there is no common version that works on all three platforms, even though all used GCC. So I'm now faced with the prospect of building and testing three versions simultaneously or going through the meta-agony of setting up an autoconf build (tho I admire autoconf greatly - autoconf is arguably a key factor in the success of open source.)

    And the various IDEs (for pretty much any language) are just glorified outliners, not engineering tools and certainly not CAD in any useful sense of the word. It is time for software to become engineering. Imagine designing a nuclear plant entirely using text - no drawings, no CAD, no piping analysis, no dynamic stress analysis. A large programming project has a similar complexity, yet we are still stuck writing prose - this is software literature, not software engineering! CAD has transformed every engineering discipline except one. Why do we insist on remaining stuck in the Dark Ages?

    --
    It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
    1. Re:Quit using C/C++, lose the buffer overflows by garyebickford · · Score: 3, Interesting

      Yes, let's program in a higher level language so we can inherent all the crappy code libraries of the OS. Let's spend half our lives doing tech support for erroneous systems that we're dependent upon.

      My point exactly - All those 'crappy code libraries' are written in C, which means (effectively) that every other language has to support the C libraries - all 4,321 versions. And, surprise!! - we're spending half our lives doing tech support for systems whose errors are Largely due to the problems of C!

      C/C++ can be more portable than any other language. If you're having trouble making it portable, don't blame the language.

      Compiler portability via bootstrapping was, in 1972, C's really big new innovation. Other languages were more portable than C once the compiler was ported, but they were generally not good languages for building compilers (LISP, APL, ALGOL, maybe even FORTRAN come to mind.) That was then, this is now. IIRC it was Dennis Ritchie who described C as a "structure PDP-11 Macro Assembler". Some argue that C's major advantage is its stupidity - almost all the functionality is in the libraries.

      If you haven't had a need to use C before, that's good for you. You're probably not developing applications that need this low level language so don't compare apples to oranges and go back to diddling your non-normalized corporate database.

      (Ad hominem attacks are boring.) As I pointed out, C may have a purpose writing device drivers, although even that is arguable - Burroughs was writing hardware descriptions in (IIRC) Pascal as far back as 1980, and you'll note that Intel doesn't use C to describe the Pentium logic - arguably low level programming. And again, you make my point. Anything higher level than device drivers (kernels? maybe, maybe not) is out of C's problem domain.

      At present the typical labor cost to build and maintain nearly any system is two orders of magnitude larger than the cost of the hardware it runs on. If the loaded cost of a programmer is $100/hour then a program that takes one day to write is more expensive than the processor it will run on, and every minute chasing down a fencepost error costs $1.67 (Pascal and Algol for just two examples, prevented fenceposts as early as 1968. Spending an hour trying to decipher stupid compiler-library mismatches borders on unethical abuse of resources.

      The real question is, why do we still think of programming in terms of language? This shows a presupposition that literature is programming. It may be, but it's certainly not engineering. As long as we're writing prose, we're not doing engineering.

      It is fairly obvious to me that the entire worldview of the software community is presently broken. Grace Hopper et al developed COBOL to allow 'nonprogrammers' to write programs. That was in the late 1950's. What progress has occurred since then? Why aren't we drawing our programs? Why don't we run the graphic model through a dynamic dataflow, bandwidth and timing analysis? Why is it up to us to manually tune the literature to support multiple processors?

      The plain fact is that I've watched the nonprogress of software over the last 20+ years, and it's nearly all a rehash of old stuff. The latest, greatest software engineering discipline as taught at the local university is unchanged from the method I used in 1978. We're designing jets for Boeing, using the software equivalent of a Model T.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  25. Re: Wicked screensaver by ChilyWily · · Score: 5, Funny

    hehe- Couldn't resist: Today's userfriendly strip is perfect :)

  26. Saw the b'stard launched by advocate_one · · Score: 5, Informative
    some t0sser called Misiko posted a "DSC-00465.jpeg" file into some binary newsgroups on Monday 18th... it was really a *.jpeg.pif, and would have automatically infected any user browsing those groups using outlook express and image preview set on.

    Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)

    The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.

    Perhaps that was it???

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  27. Redirect to a porn site? Yeah, right. by Stormbringer · · Score: 5, Interesting

    My guess is that the virus-writer, realizing from the online news that his/her precious 20 IP numbers were being decoded and chased down, went around to all of those machines that were still online and switched in that porn-site target, to avoid disclosing further strategy.

    With a lot of luck, maybe forensics on the first few machines taken offline will yield the real download address, and we can see what that clown was really up to.

  28. Re: y'know what I'm wondering... by Black+Parrot · · Score: 3, Funny


    > Is why any virus writers ever get caught. [...] they simply have to go down to their local library and/or cyber cafe wearing a wig and makeup, stick the floppy in, click, then leave, what's the problem?

    I used to do that, but I got tired of having all the geeks try to pick me up while I was there.

    --
    Sheesh, evil *and* a jerk. -- Jade
  29. This is what the writer should have done. by codepunk · · Score: 3, Funny

    He should have had this virus download a copy of the linux kernel from the SCO web site and save it to the system. SCO would have loved this as they could have then sold a Unix Ware license to the entire world. Oh hell we could have even shown that SCO infact distributed the linux kernel to every PC in the world.

    --


    Got Code?
  30. Virus author's other post by indole · · Score: 4, Informative

    Although google doesnt archive those groups, they did archive this message posted by the virus author in alt.alt.test 9 minutes before the virus was posted elsewhere.

    (You can compare to the message included here from easynews)

    --
    (2,3-Benzopyrrole)
    1. Re:Virus author's other post by advocate_one · · Score: 3, Informative
      yup... that was him.

      I actually posted a warning reply to the original post but was obviously too late.


      WARNING - that's a virus. Don't download it... - was Re: Great, who's got more?? DSC-00465.jpeg

      On Mon, 18 Aug 2003 19:55:13 +0000, Misiko wrote:

      > DSC-00465.jpeg
      > MZP

      contained the following item:

      DSC00465.jpeg.pif

      do not in any circumstances open the OP if you're using ms-windows and OE
      etc... I'm safe.


      he was relying on people browsing usenet binaries with insecure newsclients... looks like fertile soil then.
      --
      Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  31. No damage by Arandir · · Score: 4, Funny

    Those that did were merely redirected to a porn site, no damage done.

    No damage done! My dear poor mother got redirected to goatse.cx! The psychiatry bills alone will cost a quarter of a million dollars.

    --
    A Government Is a Body of People, Usually Notably Ungoverned
  32. I don't get it by Overly+Critical+Guy · · Score: 3, Insightful

    Why does Microsoft security and Windows Update keep coming up in this? This is an e-mail worm. People keep running the damned attachment like morons. It's their fault. Hell, my ISP doesn't even let .scr or any other sorts of files get through without specific permission from the user. Outlook won't run executables unless I tell it to.

    --
    "Sufferin' succotash."
    1. Re:I don't get it by shaitand · · Score: 4, Insightful

      " Why does Microsoft security and Windows Update keep coming up in this? This is an e-mail worm. People keep running the damned attachment like morons. It's their fault. Hell, my ISP doesn't even let .scr or any other sorts of files get through without specific permission from the user. Outlook won't run executables unless I tell it to."

      Your ISP is likely not even running windows or uses a seperate "box" which filters the mail. Alot of people running windows sit behind a linksys router with a built in firewall and laugh about these vulnerabilities. They don't realize they are sitting behind a layer of the simpliest and weakest form a linux security living in that router.

      Outlook won't run executables unless you tell it to... yeah we already had worms that executed automatically in outlook. But wait that fixed that hole.. you sure there aren't any others? All you have to do is click the attachment and that is "telling it to". Me on the other hand, I have to save the file and then change the filesystem permission on the file to executable and THEN and only then AFTER I have explicitly gone out of my way to make the system recognize the file as being executable may I execute the file. Sure I can set my mask so that EVERY file has execute permission by default but why would I? Or I could do it another way, make up a system where I put 3 letter codes at the end of files and the ones with the rights codes are executable... but hey, couldn't anyone name the file that way? oops.

      This boils down to a fundemental flaw in the way the system was designed back in the DOS days. Any change would completely annihilate the existing windows structure and all the code surrounding it. Course they could have... I dunno. Designed the system using ANY of the concepts implemented in ANY OTHER operating system in existance and we wouldn't see this kind of thing today.

      If a user is too stupid to right click on the file and check the box by the execute permission. He's too stupid to be trusted to execute files.

    2. Re:I don't get it by Alien+Being · · Score: 5, Insightful

      "People keep running the damned attachment like morons."

      Why do windows techies insist on packaging things as executables?

      For example, I downloaded an addon track for a Windows racing game I like. It's a single .trk file. But instead of just telling me to put the file in my "tracks" folder, they package it as a damned .exe install "wizard" that's so stupid, it has to ask the user where to install the file.

      Not only that, but they add another layer of bs to the mix by putting the .exe in a zip file. So naturally, some people have to go install winzip, probably break someone's eula, run yet another POS installer.

      Of course users click anything that says OK. That's what you do with windows. Click, click, crash, reboot, click, click, reinstall. It's just the way windows is done, sucky.

  33. Re: Wicked screensaver by eponymous+flower · · Score: 3, Funny

    Wicked?? Is this virus writer from Boston or 1986?

    --
    You say self-important egomaniac like it's a bad thing. - Peter Dragon
  34. Easynews privacy policy... by sweet+'n+sour · · Score: 5, Interesting

    How did the FBI get the ip address of the computer that uploaded the virus when the privacy policy for easynews specifically states that is should be impossible for such a thing to happen:

    We do not keep HTTP access logs
    We do not keep NNTP access logs
    We do not use IP addresses to link to personally identifiable information. IP addresses are used for administrative purposes only to ensure the Web site is running smoothly.
    Here's a link to the complete policy: Privacy Policy

  35. I Love You runs on RH 7.3/KDE by BigBlockMopar · · Score: 5, Interesting

    Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.

    Linux X applications by and large aren't as stable as Windows shareware (ie. KMail silently dies when the disk is full, etc.). The Linux kernel *is* crashable - try hot-swapping an ISA card in an old clunker. [grin]

    As for worms, well, once on my KDE box, I clicked on a virus while I was showing off Linux to a friend. "Look at how immune I am to e-mail virii... [click-click]... Oh shit... Look at how well Windows applications are supported!"

    Red Hat 7.3, shipping with Windows binaries associated to Wine. Yup, I got my Linux box infected with a Windows e-mail virus. Dangerous default file associations are not a problem exclusive to Windows, and it's only a matter of popularity before e-mail virii are being written to exploit bugs in Linux apps.

    --
    Fire and Meat. Yummy.
  36. "format c:" is not the most damaging thing by mec · · Score: 4, Insightful

    A formatted computer is a dead computer (and an un-infected computer when it comes back to service, probably with current anti-virus software). An infected computer is a cracker proxy, a spam relay, a DDOS slave.

    Also, for a lot of users, it's more damaging to leak information than to destroy the computer. Think of all the bank, credit card, and brokerage passwords that are available by logging the keystream. And, more relevantly, it's far more profitable to the virus writer to receive leaked information than to know that someone's drive was formatted.