Slashdot Mirror
So, Who Wrote Sobig?
An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors.
The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."
I'm a whore! Mirror: HERE!
You're all bastards!
Not me.
Ummm, you realize that you're telling the entire /. community that they should look at Geocities and Tripod accounts, right? This should last, oh, about 5 seconds.
A French magazine named Kasperski, a former KGB agent and now an antivirus publisher.
They said he happened to develop such things and then ask the major AV editors to bid in order to get the virus specs first...
Not sure if it's that accurate but it will sure raise some tin-foil-heads interest...
Trolling using another account since 2005.
Ruslan Ibragimov of Russia
Official GOD FAQ.
Kinda funny how the BSD devil up on the /. bar is looking at the worm...maybe he fears retribution?
DAMN YOU OCTODOG! DAMN YOU TO HELL!
This is bs. The word linux did not appear once in the paper. Furthermore, all the other software written by him mentioned in the paper was windows software, mostly used for spamming.
5.4 Motive to Write Sobig Senders of spam typically relay their email messages through open proxy servers in a continuing effort to obscure the true sending host. With the proliferation of blacklists and other anti-spam systems, spam senders are finding it more and more difficult to locate available open proxy servers. By opening multiple proxy services on millions of compromised systems, a spam sender could very quickly and anonymously relay messages without the fear of being identified. Sobig provides the following two benefits for spam senders: 1. Sobig opens multiple proxy servers on systems that are not blacklisted; 2. Sobig spreads very quickly, infecting and re-infecting millions of systems in under a week. These benefits provide spam senders with a very large base of open proxy servers. Even though most of the infected systems will be cleaned within a week, there will be some systems that will remain infected to continually provide open proxies for weeks or even months. We believe that Sobig was most likely written to support spam software. Any user or developer of spam mailing software, including Ruslan Ibragimov and Send-Safe, would be financially eager to leverage malware such as Sobig.
Doesn't say anything about linux as far as I can see....
Malware written for fun isn't any less damaging, I guess, but when apparently written specifically for a commercial purpose (sending spam in this case) it's certainly more annoying IMHO. At least if this case is anything to go by, there's likely to be more of a forensic trail left by the perpetrators due to the associated commercial activities. I hope this Ibragimov guy gets what's coming to him.
Oh no... it's the future.
One site was down before the story went active. The other shouldn't last long. The document is 48 pages. 26 are a hex dump. Here are two pages, sections 1 & 2, the Introduction and Overview. Pardon the messy text; I imported from PDF an fixed it up as best I could quickly.
1 About This Document
August 18, 2003 was a day of infamy in the world of computer software malware. The Sobig virus, as it was affectionately named by its the anti-virus industry, infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide.
Within two days after Sobig was released, an estimated $50 million in damages were reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20 million users! After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing operations within even the most advanced technology companies, such as Lockheed Martin. Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program.
Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author. As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:
By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s);
This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well;
Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation.
The following public PGP key is provided for document validation, with the private key component safely locked away as to eliminate any future chance of a lost key pair. Any individual or entity that claims authorship should be able to validate their 'authorship' by signing a message with the corresponding PGP private key.
The included PGP public key prevents unscrupulous people from claiming ownership of this document or attempting to collect the Microsoft bounty;
As this document is present on multiple mirrored sites and has been turned over to law enforcement, anyone modifying the PGP public key will be unable to pass a fake key for potential bounty award;
This PGP public key will only be included is this document. Other documents, where malcontents attempt to place our ownership on other findings, should be considered forgeries unless they include a message
signed with the PGP private key.
In the event that any individual or entity may be able to identify the authors of this document, we urge you to respect our request for anonymity.
2 Overview
Sobig was a virus specifically designed to aid the anonymity of spammers. Sobig opened up services that enabled spammers to relay their emails anonymously. Although publicly the motivation and author of the Sobig virus is unknown, through the use of forensics and profiling, we have identified a very likely suspect and motive. Our research indicates that Ruslan Ibragimov of Moscow, Russia, and/or Ibragimov's development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited em
I glanced through most of the points the authors make in this document and most of the evidence (if not all) is circumstantial. Although there are a lot of similarities that could lead you to think that he did it, I don't think comparing the skill sets needed write the program to his newsgroup/forum posts and similarities in headers warrants an inquisition.
Granted he should probably burn at the stake just for writing SPAM software...
Let's all go visit the guy. Even if he didn't write Sobig, he's still developing software for spammers.
I don't know if you read much code, but most virus code is horrible. Quite a bit of it is straight from a point-and-click virus builder, and the stuff that is hand written tends not to work as intended. Of course, I am talking about a virus, so maybe it works just like the author wanted it to for all I know....
Geek used to be a four letter word. Now it's a six-figure one.
You have IT skills and have posted to newsgroups since 1996?
We'd like to arrange a meeting with you to discuss some "things"...
- Sincerly, The Dept. of Homeland Security.
Appended to the end of comments you post. 120 chars.
I'm waiting for the study on who wrote the technical study on who wrote the infamous Sobig worm.
And they add in a footnote to that sentence:
So they say they had submitted their research prior to Nov. 5, '03. Why go public now? Though they don't say it, I can't help but think that it was frustration. Their own explanations for why they are going public seem thin to me.
Rome wasn't bilked in a day.
The argument concering that he "had the skills necessary" to create the virus aren't really that convincing to me.
The comparible code-base (unusual string concatanations that appear in both the virus and his commercial software) I suppose I *could* also overlook that because I know that a lot of developers copy code snippets from support pages and such. Especially for such generic functions as sending email.
But, then throw in the fact that send-safe and the sobog virus have very consistent release schedules. That is a little suspicious.
Not only that, but, if you remember when SoBig first came out - it was quite a long time after before people started to realize that it was creating spam proxies. send-safe was using those proxies even before the massive outbreak. Now that is kinda weird.
So, when you add up all of those things, It seems convincing to me. Is it enough to raid his office computers?
TODO: come up with a clever sig
I have only one question for virus writers:
Has anyone ever gotten laid for writing a virus?
Table-ized A.I.
Law enforcement had access to this report 14 months ago and yet Ruslan has still not been charged or arrested. At this point, it seems unlikely that he ever will be. If their is frustration on their part, it lays within this fact. Still, from the looks of it, they were sponsored to write this report and thus were paid. As they state, the "bounty was not our incentive." But nobody writes such a report or does this type of work for free. The only purposes releasing this report to the public serves now is a) Prevents others from collecting a bounty in the UNLIKELY event they attempt to use previously documented evidence already on hold by law enforcement. i) If you are paranoid, then it prevents corrupt officials from trying to let their friends receive bounties by using old information. b) inform Ruslan that he is a suspect if he didn't already know it.
While many of the linux community aren't saints, the attitude-in-general towards viruses and their makers is negetive. You're not going to get a pat-on-the-back from the community for creating an anti-windows virus, you're going to get a kick-in-the-ass for dampening the reputation of the community. Furthermore if a bounty comes up for the virus it's likely somebody will turn you over if possible.
MS would love to be able to state that linux programmers are behind virus attacks on windows, and most are smart enough to realize that.
We don't love windows, but we're smart enough not to dirty our hands with viruses, partly because we hate viruses more than we'll ever hate windows (viruses/etc being in-fact one of the reasons for disliking windows)
We have what's described as an anonymous article, based apparently on pure speculation, on a free webhost, that purports to identify a virus author that, SFAIK, has not yet been arrested?
;-]
Impressive. I can't believe Slashdot got such a big scoop on this one