Slashdot Mirror
So, Who Wrote Sobig?
An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors.
The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."
I'm a whore! Mirror: HERE!
You're all bastards!
Andrew Tanenbaum. He's also known for a little discussion with someone named Linus Torvalds.
Should it disturb me that the virus icon now seems to resemble a bent-up dildo?
Not me.
What do they have 10MB of transfer a day?
https://gmail.google.com/gmail/a-b0ab39f1a8-517235 8b19-6f45f145ca c 0563-18969179a8 1 50e2-0bef3ba2a4 2 cd83-e0644e7ef5 6 9d32-22621daaff 7 c84e-b9e70ce4cd
https://gmail.google.com/gmail/a-b0ab39f1a8-13556
https://gmail.google.com/gmail/a-b0ab39f1a8-bc9b1
https://gmail.google.com/gmail/a-b0ab39f1a8-d6f30
https://gmail.google.com/gmail/a-b0ab39f1a8-62e3c
https://gmail.google.com/gmail/a-b0ab39f1a8-6c3f0
The odd thing about this was that his motivations weren't fame or the desire to send spam - he was a Linux zealot hell-bent on destroying Windows. This kind of jihadist attitude is becoming far too common in the Linux community.
Ummm, you realize that you're telling the entire /. community that they should look at Geocities and Tripod accounts, right? This should last, oh, about 5 seconds.
It's a worm, well, actually, it appears to be a caterpillar, but it's supposed to be a worm. It's been around for a long time.
A French magazine named Kasperski, a former KGB agent and now an antivirus publisher.
They said he happened to develop such things and then ask the major AV editors to bid in order to get the virus specs first...
Not sure if it's that accurate but it will sure raise some tin-foil-heads interest...
Trolling using another account since 2005.
Ruslan Ibragimov of Russia
Official GOD FAQ.
Who Wrote Sobig?
As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:
By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s); This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well; Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation. Because this site may be shutdown, you are free to copy this document to other web sites. Please do not modify the contents of this document.
Click on this link to download the document: WhoWroteSobig.pdf
SIZE: 304386 bytes
MD5: 18de5fee31a553c4695f233a3da558c9
SHA1: e56b1ff66b38016de71cbf1376207f2453aa5c4c
Kinda funny how the BSD devil up on the /. bar is looking at the worm...maybe he fears retribution?
DAMN YOU OCTODOG! DAMN YOU TO HELL!
If you can't be arsed reading it, the name is Ruslan Ibragimov.
Who??
We can start a war on the Linux Jihad!!!! Seriously though.. The majority of people who write viruses are the same people who like to cause others missery in any way they can. This just allows the smarter more resourceful to actually effect a large mass of people.
There never seems to be any good American programmers who write malicious code and viruses like this. Ah well, where's Kevin Mitnick? :-P
The above links are not gmail invites. Look closely at the real URLs.
`A viral Mr Big on us,' so I hear.
to add the word milli after the five....
From excellent karma to terible karma with a single +5 funny post...
culture of abuse goodbye...she had aa4eared...saying reciprocating bad are just way over Large - keep your raise or lower the Lube. This can lead
I don't know...the worm looks more scared than the horned one.
I just clicked one of the URLs and signed up for a gmail account.. are you sure?
Am I the only one that has the heeby-jeebies about clicking on this stuff from a GEOCITIES or TRIPOD account??
I read slashdot for the sigs...
fact came into Deeper into the all along. *BSD of the above and, after initial 40,000 coming BSD had become lube or we sell Dicks produced suucesses with the everyday...We WORSE AND WORSE. AS
Malware written for fun isn't any less damaging, I guess, but when apparently written specifically for a commercial purpose (sending spam in this case) it's certainly more annoying IMHO. At least if this case is anything to go by, there's likely to be more of a forensic trail left by the perpetrators due to the associated commercial activities. I hope this Ibragimov guy gets what's coming to him.
Oh no... it's the future.
One site was down before the story went active. The other shouldn't last long. The document is 48 pages. 26 are a hex dump. Here are two pages, sections 1 & 2, the Introduction and Overview. Pardon the messy text; I imported from PDF an fixed it up as best I could quickly.
1 About This Document
August 18, 2003 was a day of infamy in the world of computer software malware. The Sobig virus, as it was affectionately named by its the anti-virus industry, infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide.
Within two days after Sobig was released, an estimated $50 million in damages were reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20 million users! After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing operations within even the most advanced technology companies, such as Lockheed Martin. Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program.
Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author. As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:
By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s);
This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well;
Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation.
The following public PGP key is provided for document validation, with the private key component safely locked away as to eliminate any future chance of a lost key pair. Any individual or entity that claims authorship should be able to validate their 'authorship' by signing a message with the corresponding PGP private key.
The included PGP public key prevents unscrupulous people from claiming ownership of this document or attempting to collect the Microsoft bounty;
As this document is present on multiple mirrored sites and has been turned over to law enforcement, anyone modifying the PGP public key will be unable to pass a fake key for potential bounty award;
This PGP public key will only be included is this document. Other documents, where malcontents attempt to place our ownership on other findings, should be considered forgeries unless they include a message
signed with the PGP private key.
In the event that any individual or entity may be able to identify the authors of this document, we urge you to respect our request for anonymity.
2 Overview
Sobig was a virus specifically designed to aid the anonymity of spammers. Sobig opened up services that enabled spammers to relay their emails anonymously. Although publicly the motivation and author of the Sobig virus is unknown, through the use of forensics and profiling, we have identified a very likely suspect and motive. Our research indicates that Ruslan Ibragimov of Moscow, Russia, and/or Ibragimov's development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited em
Best deals: Worms
Why aren't all link submissions required to include a mirror? Ah well, here's the Coralized link
Life shrinks or expands in proportion to one's courage. - Anais Nin
Another mirror here
http://mirrors.linuxpowered.com/WhoWroteSobig.pdf
They are "Hey everybody I'm looking at gay porno" browser hijacks.
I glanced through most of the points the authors make in this document and most of the evidence (if not all) is circumstantial. Although there are a lot of similarities that could lead you to think that he did it, I don't think comparing the skill sets needed write the program to his newsgroup/forum posts and similarities in headers warrants an inquisition.
Granted he should probably burn at the stake just for writing SPAM software...
Explain to me how I signed up for a gmail account with one of those links then.
Let's all go visit the guy. Even if he didn't write Sobig, he's still developing software for spammers.
Here's another one
In Soviet Russia... oh, nevermind.
I wrote the virus which made the whole world cringe.
I wrote the virus which screwed up things
I wrote the virus that made system administrators cry
I wrote the virus, I wrote the virus
If someone says he and his monkey have nothing to hide, they almost certainly do.
...tell me what address to mail this...um...strangly ticking package to.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The report seems biased. It has a lot of statements like "Mr. Ibragimov has demonstraded such skills" or "Ibragimov has been posting to newsgroups since at least 1998". So f...g what? Who can assure me that demonstration of IT skills means I am a virus vriter ? An for Crist sake - I post to newsgroups since 1996. Does that prove my relationship with wirus writers/writings ?
MySQL Error 1040: Can't return sig, Too many connections!
Copyright 2003-2004 Authors.
In theory there is no difference between theory and practice. In practice there is. - Yogi Berra
The anonymous authors have done really interesting technical forensics.
The executable comparison charts between Send-Safe and Sobig-F in the appendix show a large correlation in both binaries. A different code base seems to be a pretty unrealistic thing there.
If the given facts hold true, I bet that Ruslan Ibragimov will not sleep very well in the next time.
The above post is a TROLL, not an OFF-TOPIC comment.
thought I'd throw up a mirror too, I thought it was kinda interesting.
http://www.soundmage.com/sobig/WhoWroteSobig.pdf
What do you think of the notion that there are at least several really successful viruses that we never hear about, because they are more useful to the writer if they are not obviously annoying?
Are all these zombie machines we hear about for rent to spammers infected with viruses that would be caught be common virus scanners, or are they truely different?
This issue is a bit more complicated than you think.
Anybody willing to ask him whether he actually wrote that ? :-)
I'm waiting for the study on who wrote the technical study on who wrote the infamous Sobig worm.
And they add in a footnote to that sentence:
So they say they had submitted their research prior to Nov. 5, '03. Why go public now? Though they don't say it, I can't help but think that it was frustration. Their own explanations for why they are going public seem thin to me.
Rome wasn't bilked in a day.
More like +1, Trivial Question.
**RTFA, BITCH!**
Hopefully when you "glanced through" the article you also read that there is evidence that Sobig and Send-Safe (spam software that Ruslan sells) share source code. By comparing the opcodes of the two executables, they find many long sequences that match.
Also, don't forget to mention that the article reveals a version of Send Safe was exploiting infected Sobig machines before news of Sobig was ever announced.
So you see, its not just about the skill set needed, Ruslan's forum posts, or the header similarities. It's the combination of those things AND the matching code signatures, the demonstrated foreknowledge, and the profit motive. Ruslan makes money selling spam software and lo' and behold, there is evidence that his Send Safe program uses some common code and that Send Safe exploits infected Sobig machines and were doing so before anyone of us had heard of Sobig.
So you can call it circumstantial and that is fine. But don't leave out many of the key points made by the authors.
Of course it is biased. They are making their case that Ruslan is the author. They present evidence to that affect.
Seems to me that your problem is you read the Slashdot topic and description and then fault the original article for not living up to your expectation. The article IS biased because it makes a case against Ruslan. The lame ass slashdot topic & description don't quite relay that fact.
As for evidence in the article which you neglected to cite, they show that
1) his other software Send Safe share common opcodes in the executable and is highly indicative of common source code.
2) he demonstraded foreknowledge of the virus existance because Send Safe was exploiting infected machines before Sobig virus was ever announced.
3) he has a motive -> PROFIT!!
The argument concering that he "had the skills necessary" to create the virus aren't really that convincing to me.
The comparible code-base (unusual string concatanations that appear in both the virus and his commercial software) I suppose I *could* also overlook that because I know that a lot of developers copy code snippets from support pages and such. Especially for such generic functions as sending email.
But, then throw in the fact that send-safe and the sobog virus have very consistent release schedules. That is a little suspicious.
Not only that, but, if you remember when SoBig first came out - it was quite a long time after before people started to realize that it was creating spam proxies. send-safe was using those proxies even before the massive outbreak. Now that is kinda weird.
So, when you add up all of those things, It seems convincing to me. Is it enough to raid his office computers?
TODO: come up with a clever sig
Is stringing this guy up by his testicles and leaving him to dangle too good a punishment?
Sigs. We don't need no steenking sigs.
Burn the bandwidth!
Of http://authortravis.tripod.com available here, for those that don't know Coral yet.
Also could be count as a "hard fact" for companies/governments/etc that people that send spam are in part responsible for the virus they receive and the damages they make, and start to take actions.
Well, doubt that spammers could be liable for SoBig damages, but is a nice dream.
I have only one question for virus writers:
Has anyone ever gotten laid for writing a virus?
Table-ized A.I.
It used to be try that many viruses were simply released as nuisances. However, it has also been true for a long time that they are also released for financial/personal benefit of the writer. Sniffers used to gather information can steal passwords etc, and others can turn your machine into one-of-hundreds in a group of zombies. The zombies can be sold to those whom attack major websites (extortion, disabling, etc) or spammers etc. The passwords could be for online banking or simply to root a machine and make it a zombie.
I think that viruses nowadays are more written for profit than peskiness - perhaps not the majority but the big ones definately show signs of it.
Law enforcement had access to this report 14 months ago and yet Ruslan has still not been charged or arrested. At this point, it seems unlikely that he ever will be. If their is frustration on their part, it lays within this fact. Still, from the looks of it, they were sponsored to write this report and thus were paid. As they state, the "bounty was not our incentive." But nobody writes such a report or does this type of work for free. The only purposes releasing this report to the public serves now is a) Prevents others from collecting a bounty in the UNLIKELY event they attempt to use previously documented evidence already on hold by law enforcement. i) If you are paranoid, then it prevents corrupt officials from trying to let their friends receive bounties by using old information. b) inform Ruslan that he is a suspect if he didn't already know it.
I think this is yet another example of the kind of vigilante justice that has been trademark of various anti-virus activists for a long time. If these people have sufficient evidence prove that the guy is quilty, they should approach the law enforcement officials rather than trying to ignite a witchhunt in the internet. If they don't have the evidence, they should just shut up. This is not to defend virus writers, spammers or anybody, but just to remind the people that there is a legal and civilized way to do it.
Auferre trucidare rapere falsis nominibus imperium, atque ubi solitudinem faciunt, pacem appellant.
While many of the linux community aren't saints, the attitude-in-general towards viruses and their makers is negetive. You're not going to get a pat-on-the-back from the community for creating an anti-windows virus, you're going to get a kick-in-the-ass for dampening the reputation of the community. Furthermore if a bounty comes up for the virus it's likely somebody will turn you over if possible.
MS would love to be able to state that linux programmers are behind virus attacks on windows, and most are smart enough to realize that.
We don't love windows, but we're smart enough not to dirty our hands with viruses, partly because we hate viruses more than we'll ever hate windows (viruses/etc being in-fact one of the reasons for disliking windows)
We have what's described as an anonymous article, based apparently on pure speculation, on a free webhost, that purports to identify a virus author that, SFAIK, has not yet been arrested?
;-]
Impressive. I can't believe Slashdot got such a big scoop on this one
1. According to the authors this study was completed prior to Nov. 5 2003. If the overriding concern is to "...increase tips to law enforcement..." then why did it take so long to publish this?
2. Spelling and grammar in the document leave a lot to be desired. Computer forensics aside, I submit that English isn't the primary language of the authors or they just don't care that their paper is riddled with mistakes that make them sound ignorant.
If you do what you always did, you get what you always got.
http://shit.slashdot.org/article.pl?sid=04/11/01/1 410229
This author of this article made a huge flaw in his technique of comparing binaries that discredits most of his arguments.
/ Papers/2004/ comparing_binaries.cfm
The proper way to compare binaries is described in the following:
http://www.bindview.com/Support/RAZOR
In addition there are papers on this by Havlar Flake who also has an IDA plugin you can purchase to do comparisions without needing to write any code.
Another mirror Here. Enjoy.
I've always assumed that those who create viruses do so just for the coolness of taking down systems. Mostly kids or young ones under the age of 25. In realizing that I have this assumption, it made me step back and now ask?
So does anyone really know why viruses are created? What is the personal motivation of the virus creator?
Because now viruses hurt real people. I think Microsoft should not be allowed to put out such junky software, regardless of the quality of the software real people are hurt.
Adblock filter rule: *.spylog.com/*
...the watchmen of the 'net that responded immediately to the infestation. The article from Wired describing the events surrounding that disaster made for an excellent techno-thriller type read. Does anybody have a link to it, as I only read the printed version...
WARNING: Smartphones have side effects--most of them undocumented.
I think the parent meant that the name of the virus combined with the appearance of the worm/virus/bug icon produced a new, playfully erotic response. "It's so big!" -- a phrase uttered in awe by a very young woman when I was much younger myself, but she insisted we see if we could squeeze it all in, and I must admit we made room. Much different than the outcome the times I've tried to entertain with the help of a three-stage, solid motor launch vehicle -- "You're not putting that thing inside me, mister!" That would be "Toobig."
Gary Dunn
Open Slate Project
It's an anonymous user:
...........
An anonymous reader writes "F-Secure's Virus Blog posted