Slashdot Mirror

← Back to Stories (view on slashdot.org)

So, Who Wrote Sobig?

Posted by Hemos on from the i'm-SO-BIG dept.

An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors. The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."

12 of 187 comments (clear)

  1. Re:motivation by nil5 · · Score: 1, Insightful

    Why is it always acceptable--preferable--to refer to anyone with a different belief than ourselves as a ``zealot''? This word is being way overused lately. ``Cease!'' sayeth the style police.

  2. Re:motivation by benhocking · · Score: 2, Insightful
    Why is it always acceptable--preferable--to refer to anyone with a different belief than ourselves as a ``zealot''? This word is being way overused lately. ``Cease!'' sayeth the style police.

    I think that releasing a virus to achieve your ends qualifies one as a zealot. In fact, I would guess that the poster of the parent (this post's grandparent) thread is most likely not a Windows fan, so the underlying belief probably is not different, just what is perceived as acceptable means.

    --
    Ben Hocking
    Need a professional organizer?
  3. Coralized mirror by Randar+the+Lava+Liza · · Score: 2, Insightful

    Why aren't all link submissions required to include a mirror? Ah well, here's the Coralized link

    --
    Life shrinks or expands in proportion to one's courage. - Anais Nin
  4. Re:motivation by gl4ss · · Score: 1, Insightful

    MOD PARENT DOWN!!!!!!! MISINFORMATION.

    MODS: please, fucking read the article before you go on your modding spree.

    linux was not mentioned ONCE in the article. the motivation guessed(and reasoned) was creation of open proxies so the guy could sell more of his spam sending software. so purely financial.

    --
    world was created 5 seconds before this post as it is.
  5. Re:Kasperski by gmuslera · · Score: 4, Insightful
    The old myth that says that the antivirus makers are the ones that are developing virus? I use AVP/KAV since a decade ago, first in DOS and now in Linux, and is one of the best (if not THE best) available antivirus on the market.

    Even know someone that programmed a test virus long time ago, and sent to antivirus publishers to see how well it could be detected, and the response from the community of that time, specially the people from Kaspersky, was very against that kind of "tests", so is very improbable what you are telling there (and that includes too most of the other biggest players 10 years ago if the same is said about i.e. F-Prot or McAfee people)

    At least without hard proof (not just speculation or just urban myths) i would give that notice the same weight as that Bill Gates is sending big bucks to any that continues a chain letter.

  6. Re:Circumstantial evidence. by avandesande · · Score: 1, Insightful

    the only compelling evidence they mentioned was the identical blocks of code in the binaries, and they didnt really discuss go into detail about their findings.

    --
    love is just extroverted narcissism
  7. Do we ever really hear about good viruses? by NotQuiteReal · · Score: 2, Insightful
    Script kiddies using virus writing kits and punks putting graffiti on stop signs is at about the same level.

    What do you think of the notion that there are at least several really successful viruses that we never hear about, because they are more useful to the writer if they are not obviously annoying?

    Are all these zombie machines we hear about for rent to spammers infected with viruses that would be caught be common virus scanners, or are they truely different?

    --
    This issue is a bit more complicated than you think.
  8. Re:Circumstantial evidence. by analog_line · · Score: 4, Insightful

    Well, you obviously didn't glance through all of the points, as you neglect to mention the opcode simmilarities, timeline of significant releases of both pieces of software and the activites of groups known to use Send Safe, and SoBig.

    Not to mention the exhaustive opcode comparison diagram at the end of the document.

    Circumstantial evidence, it may be, but that doesn't mean it's not valid. And what is forensics aside from a circumstantial investigation? Getting as many facts as you are able to directly observe in order to come to a logical conclusion about a question you can't directly observe the solution to.

  9. Reasons for going public now... by Shambhu · · Score: 3, Insightful
    Leaving aside the validity of their arguments for the time being (though I found them persuasive), I was wondering why exactly they felt the need to release this now. I think there are a few clues in the document:

    "Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program. Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author."


    And they add in a footnote to that sentence:

    "Ironically, our investigation into the identification of the likely Sobig author(s) and corresponding findings had already been concluded and passed on to law enforcement over two months prior to the Microsoft bounty offer. The bounty was not our incentive."


    So they say they had submitted their research prior to Nov. 5, '03. Why go public now? Though they don't say it, I can't help but think that it was frustration. Their own explanations for why they are going public seem thin to me.

    --
    Rome wasn't bilked in a day.
  10. Can't convict. Doesn't mean OJ is not a killer... by Anonymous Coward · · Score: 1, Insightful

    Hopefully when you "glanced through" the article you also read that there is evidence that Sobig and Send-Safe (spam software that Ruslan sells) share source code. By comparing the opcodes of the two executables, they find many long sequences that match.

    Also, don't forget to mention that the article reveals a version of Send Safe was exploiting infected Sobig machines before news of Sobig was ever announced.

    So you see, its not just about the skill set needed, Ruslan's forum posts, or the header similarities. It's the combination of those things AND the matching code signatures, the demonstrated foreknowledge, and the profit motive. Ruslan makes money selling spam software and lo' and behold, there is evidence that his Send Safe program uses some common code and that Send Safe exploits infected Sobig machines and were doing so before anyone of us had heard of Sobig.

    So you can call it circumstantial and that is fine. But don't leave out many of the key points made by the authors.

  11. Not saints, but not devils by phorm · · Score: 4, Insightful

    While many of the linux community aren't saints, the attitude-in-general towards viruses and their makers is negetive. You're not going to get a pat-on-the-back from the community for creating an anti-windows virus, you're going to get a kick-in-the-ass for dampening the reputation of the community. Furthermore if a bounty comes up for the virus it's likely somebody will turn you over if possible.

    MS would love to be able to state that linux programmers are behind virus attacks on windows, and most are smart enough to realize that.

    We don't love windows, but we're smart enough not to dirty our hands with viruses, partly because we hate viruses more than we'll ever hate windows (viruses/etc being in-fact one of the reasons for disliking windows)

  12. Re:Kasperski by gmuslera · · Score: 2, Insightful
    Never was infected by a virus myself. But had a BBS whose files were checked against virus, worked in LANs where workers had not a lot of common sense sometimes, and avp is pretty good for checking for virus in mail servers (i.e. teamed up with anomy sanitizer).

    To be "unprotected" from virus is ok if you have common sense, firewalls and safe software (i.e. windows is not in that category, and if well linux is pretty safe against virus, maybe is not 100% safe against worms), but when you talk about a lot of people, common sense looks not so common.