Slashdot Mirror

← Back to Stories (view on slashdot.org)

So, Who Wrote Sobig?

Posted by Hemos on from the i'm-SO-BIG dept.

An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors. The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."

9 of 187 comments (clear)

  1. Good American Programmers? by Wig · · Score: 2, Interesting

    There never seems to be any good American programmers who write malicious code and viruses like this. Ah well, where's Kevin Mitnick? :-P

    1. Re:Good American Programmers? by northcat · · Score: 1, Interesting

      There are more computer users in the US than many other countries. So, are "hackers" in US sitting back because of fear?

      Actually, this cannot be attributed to tougher law enforcement or any other similar reasons. The thing is that there are not that many big Viruses/Worms/Anything-else-you-want-to-call-them around. So the possibility of the virus-writer being from any random country is almost equal. (My English skills arent so good, so please forgive me if my sentences werent clear.)

  2. Viruses for profit by Tx · · Score: 5, Interesting

    Malware written for fun isn't any less damaging, I guess, but when apparently written specifically for a commercial purpose (sending spam in this case) it's certainly more annoying IMHO. At least if this case is anything to go by, there's likely to be more of a forensic trail left by the perpetrators due to the associated commercial activities. I hope this Ibragimov guy gets what's coming to him.

    --
    Oh no... it's the future.
    1. Re:Viruses for profit by Daedala · · Score: 5, Interesting
      Malware for profit is worse.

      The problem isn't that professionals are necessarily better than amateurs at a task -- we know this isn't true. But being a professional allows you to work full-time on something. Many people are motivated by financial rewards (and egoboo doesn't put bread on the table, either).

      When a lot of money gets involved, organized crime gets involved, and they bring with them the infrastructure for serious misdeeds.

      I want my script kiddiez back.

      --
      What I say does not represent the views of my employers, my friends, my cats, or myself.
  3. Circumstantial evidence. by hex1848 · · Score: 3, Interesting

    I glanced through most of the points the authors make in this document and most of the evidence (if not all) is circumstantial. Although there are a lot of similarities that could lead you to think that he did it, I don't think comparing the skill sets needed write the program to his newsgroup/forum posts and similarities in headers warrants an inquisition.

    Granted he should probably burn at the stake just for writing SPAM software...

  4. Avast, slashbots! by naitro · · Score: 5, Interesting

    Let's all go visit the guy. Even if he didn't write Sobig, he's still developing software for spammers.

  5. fairly convincing by mixmasterjake · · Score: 3, Interesting

    The argument concering that he "had the skills necessary" to create the virus aren't really that convincing to me.

    The comparible code-base (unusual string concatanations that appear in both the virus and his commercial software) I suppose I *could* also overlook that because I know that a lot of developers copy code snippets from support pages and such. Especially for such generic functions as sending email.

    But, then throw in the fact that send-safe and the sobog virus have very consistent release schedules. That is a little suspicious.

    Not only that, but, if you remember when SoBig first came out - it was quite a long time after before people started to realize that it was creating spam proxies. send-safe was using those proxies even before the massive outbreak. Now that is kinda weird.

    So, when you add up all of those things, It seems convincing to me. Is it enough to raid his office computers?

    --
    TODO: come up with a clever sig
  6. Frustrated yes, but not for money. by Pizaz · · Score: 3, Interesting

    Law enforcement had access to this report 14 months ago and yet Ruslan has still not been charged or arrested. At this point, it seems unlikely that he ever will be. If their is frustration on their part, it lays within this fact. Still, from the looks of it, they were sponsored to write this report and thus were paid. As they state, the "bounty was not our incentive." But nobody writes such a report or does this type of work for free. The only purposes releasing this report to the public serves now is a) Prevents others from collecting a bounty in the UNLIKELY event they attempt to use previously documented evidence already on hold by law enforcement. i) If you are paranoid, then it prevents corrupt officials from trying to let their friends receive bounties by using old information. b) inform Ruslan that he is a suspect if he didn't already know it.

  7. Re:Do we ever really hear about good viruses? by Erasmus+Darwin · · Score: 2, Interesting
    "What do you think of the notion that there are at least several really successful viruses that we never hear about, because they are more useful to the writer if they are not obviously annoying?"

    I think it's not very likely. It isn't the payload that necessarily gets viruses noticed. If a virus (well, technically a worm in this case) tries to exploit buffer overruns in remote services (as was done by worms like Code Red and Blaster), it's going to get caught by the log entries from failed intrusions. If a virus (again, technically a worm in this case) tries to mail itself out to people, it's going to be easy for savvy users to see it for what it is. Even if a virus just modifies executables, it's going to raise alarms on a system that keeps checksums of such files. Even the increasingly archaic boot sector viruses will get caught by a simple BIOS setting.

    All the popular infection vectors that viruses and worms use leave too much evidence. I don't think any virus that has infected a large number of computers will stay hidden for long.