Slashdot Mirror
The Origin Of Sobig (And Its Next Phase)
MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.
How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?
Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.
I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.
Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!
Celebrate Steak and a Blowjob Day!
IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix
Some drink at the fountain of knowledge. Others just gargle.
Anyone else think this sounds like a bad hollywood plot ?
We only have 48 hours to shut down 20 randomn computers or the internet is brought to it's knees.
Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.
Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.
This was not written by a script kiddie.
John.
It's been a busy week. I see a lot of people confusing the different worms/viruses running around.
SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.
Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.
Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.
Come on, if you're going to write a worm, do it right.
Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who infected you, and trade connections randomly).
Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.
Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).
In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.
Tarsnap: Online backups for the truly paranoid
They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.
But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.
It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.
I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.
I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?
A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.
There's a good answer on Broadband Report Forum, or you could try Google.
Who said Freedom was Fair?
OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments.
So if this gets worse and worse, and hypothetically more people start running linux or mac or whatever as their desktop OS (which I think could happen in dribs and drabs now -- a shitload of folks I know HATE microsoft right now), what's to stop them from ignoring system security all over again? You have the whole Lindows run-as-root thing still, for example. I know there aren't nearly as many worms and shit written to exploit non-MS OS's, but that doesn't mean folks won't start, and I'd just like to know what would/could happen, and what exploits would then be available, if they do.
I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.
Don't put salt in your eyes.
Well, if you're just interested in who to blame, then blame the virus/worm writers. They wrote the darn things. But there will always be plenty of virus writers.
But if you're interested in how to have this kind of thing NOT HAPPEN, which I think is the more important issue for us in the IT field, then the blame falls squarely on microsoft's shoulders.
Sure, all software has bugs. But Microsoft's software is a little different. It's in 95%+ of the world's computers. They know this, that's their business. Governments use it. Nuclear plants use it. The electric company uses it. Your personal information is stored in it. Your medical history is stored in it. Microsoft has their fingers so deep into businesses around the world.
Yet they don't do anything particularly special to prevent these worms. They put in the same (or less) effort that the open source folks to find bugs. They sit idly buy when they could easily afford *thousands* of independent code audits. They leave ports open when they could easily ship them closed. They ship a mail client that runs foreign executables. Not off completely, or in a sandbox, or whatever. It is inexcusable that attachments can run as code. This is a bug in the design of the operating system (ANY operating system).
Microsoft needs to get their head out of the bank vault for about two seconds and realize this is something they *must* do, even if it doesn't mean any new revenue. They have a responsibility to every business out there. Even if you are a FreeBSD + Mac shop you are effected by this.
It's downright embarassing that a simple bit of code like these worms/viruses can even get out the ethernet port.
Microsoft, how about innovating a real *solution* to this that *isn't* Palladium? I know it's possible. Have you ever seen qmail or other programs by DJB? Everything is partitioned with simple interfaces between code modules, even if there are bugs, they are ineffective. Do the same in Windows. People will put up with the extra effort eventually, because they are SICK of this shit.
What really amazes me, is how many people seem to think Microsoft is "doing everything they can". They can do more, a lot more, and they must!
hehe- Couldn't resist: Today's userfriendly strip is perfect :)
Unfortunately I've since deleted it (It's an offence to knowingly possess viruses in the UK)
The message reference that it was in is [MPG.19ab40b72e8ed720989682@news.easynews.com] but google doesn't archive those groups.
Perhaps that was it???
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
My guess is that the virus-writer, realizing from the online news that his/her precious 20 IP numbers were being decoded and chased down, went around to all of those machines that were still online and switched in that porn-site target, to avoid disclosing further strategy.
With a lot of luck, maybe forensics on the first few machines taken offline will yield the real download address, and we can see what that clown was really up to.
I just love this type of explanation of why MS is at absolutely ZERO fault for it's security problems. Compare the number of Apache worms/viruses with the number found in IIS. Why are there more in a single year for IIS than for Apache over several years? Why haven't appache worms/viruses brought the Internet to a crawl and hit the newspaper headlines big time?
Oh yeah.. because MS has such a huge market share making more targets. BZZZ.. Apache holds almost 2 times the market share for active web servers! Could it be that MS's IIS isn't as secure? No.. noo... it's because of hackers. It's all their fault.. Poor MS!
If you are going to use an analogy, try making it fit the facts:
Builder A builds a LOT of houses. To cut costs and because they truley believe they know best... they use locks from RustyLocks.com. They also use an alarm system from AlarmsAreUs.com. The lock experts and alarm system experts say, "Hey, don't use those.. they have a high risk of being compromised!"
Builder A argues that they haven't been compromised yet and that they are good enough for the home-buying public. They continue building tons of houses with these parts in place. They sell the homes with a HUGE profit margin and bill them as secure, safe and full of extras your family will love.
Builder B lets the lock experts design a good lock they think is hard to break. They let the alarm system experts design a good alarm which is hard to bypass. They use these in their houses and find that they don't actually run up costs, but instead lower them. They also put the design of the systems up for public review in case they missed something themselves. They sell the homes for a reasonable price and offer the blueprints and all other design materials to the public in case someone wants to build their own.
Soon building A's homes start getting broken into. They find a fix for the lock's current problem and offer it for free.. they even offer to install the fix. What they don't do is replace the locks with a better designed one because it's too expensive to. Of course this doesn't fix the security system problems or other problems with the locks. In the mean time they blame the crooks and also everyone who is broken into for not fixing their locks.
Because the lock and alarm system guidlines from Builder B are availble to any lock or alarm system expert, they are repeatedly reviewed by those who want. There are enough people willing to review because they live in these homes and want to be safe. Maybe they find problems with the locks, maybe they don't. But if they do, the locks are improved and everyone is told.
Eventually a few of builder B's locks get picked. The lock experts start tearing apart the locks and figure out if fixing them is good enough or if a whole new lock is warranted. Regardless of the answer, they make the new locks available for free with simple instructions on how to replace them.
In the mean time several more break-ins occur in builder A homes.
Builder A's reactive actions result in repeated security incidents. The Builder B community team's proactive actions result in occasional but rare security incidents.
Blame the crooks! Sure, they hold some of the blame, but both builders KNEW the crooks were out there. They both knew the crooks wanted into the houses to get the goodies inside. So, does builder A share any responsibliity? Hmmm... According to your post.. NO.
Yeah, but what you're missing is that F expires on September 10th, 2003.
Which means G, the one with the yet more freakin' evil payload, is probably set to go live... ooh, sometime around the 11th... uh-oh.
Expiring the worm is deliberate, so that different versions of the worm don't interfere with each other much.
We got lucky, or maybe not: the author realised what was happening, reads the right lists (or spies on them, heh), and decided that he'd rather leave it to the backup payload - the update url was simply a random porn site, one of the decoys, rather than a compromised webpage containing the latest version of his second-stage rootkit/trojan/proxy, Lala.
So we don't know what his latest surprise would have been. There's been too much attention - he's not going to spring it. He - let's be honest here, they - want a low-profile proxy network, quietly removing the worm after deployment, to anonymise his compromises, do some identity theft, mail some spam (they're EVIL, remember).
Now, this stolen credit card was almost certainly stolen with the keylogger in the previous trojan cascade of Sobig.E, so... well, that pretty much fucks things up as far as traceability goes, same for the proxy servers that the authors will have been using to cover their tracks.
Disclaimer: I don't *know* this, but based on what disassembly I've done, what I've read, and previous versions, it seems very, very likely. He might have been planning something else, but I suspect all this publicity derailed his plans for quiet world domination.
How did the FBI get the ip address of the computer that uploaded the virus when the privacy policy for easynews specifically states that is should be impossible for such a thing to happen:
We do not keep HTTP access logs
We do not keep NNTP access logs
We do not use IP addresses to link to personally identifiable information. IP addresses are used for administrative purposes only to ensure the Web site is running smoothly.
Here's a link to the complete policy: Privacy Policy
Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.
Linux X applications by and large aren't as stable as Windows shareware (ie. KMail silently dies when the disk is full, etc.). The Linux kernel *is* crashable - try hot-swapping an ISA card in an old clunker. [grin]
As for worms, well, once on my KDE box, I clicked on a virus while I was showing off Linux to a friend. "Look at how immune I am to e-mail virii... [click-click]... Oh shit... Look at how well Windows applications are supported!"
Red Hat 7.3, shipping with Windows binaries associated to Wine. Yup, I got my Linux box infected with a Windows e-mail virus. Dangerous default file associations are not a problem exclusive to Windows, and it's only a matter of popularity before e-mail virii are being written to exploit bugs in Linux apps.
Fire and Meat. Yummy.
"People keep running the damned attachment like morons."
.trk file. But instead of just telling me to put the file in my "tracks" folder, they package it as a damned .exe install "wizard" that's so stupid, it has to ask the user where to install the file.
.exe in a zip file. So naturally, some people have to go install winzip, probably break someone's eula, run yet another POS installer.
Why do windows techies insist on packaging things as executables?
For example, I downloaded an addon track for a Windows racing game I like. It's a single
Not only that, but they add another layer of bs to the mix by putting the
Of course users click anything that says OK. That's what you do with windows. Click, click, crash, reboot, click, click, reinstall. It's just the way windows is done, sucky.