SoBig.F Phase 2 - about to start, or not

• Previous message: Russ: "Re: A Free security updates deployment tool is available (hfnetFU)"
• Next in thread: Gary Warner: "Re: SoBig.F Phase 2 - about to start, or not"
• Reply: Gary Warner: "Re: SoBig.F Phase 2 - about to start, or not"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 22 Aug 2003 14:58:05 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

You know me, I like to go out on a limb.

SoBig.F has an additional component (to the virus mass-mailing), it checks in with 20 IP addresses (home machines, we believe) that are listening on UDP 8998. Those machines return an encrypted web address, which the SoBig.F infected machines are supposed to then go to and pick up some executable. What that executable will do is unknown, but if anything, it most likely spams (the SoBig author has been known to spam from infected machines.)

People have been hard at work ensuring the 20 machines are blocked, but they may not be. This thing triggers at 1900 UTC, all machines will go at that point.

The most likely scenario is that the 20 sites are either blocked, or DoS'd as a result of the request load. Infected systems are to try these IPs for 3 hours, then again on Sunday/Monday. Should they get the web address(es) they will then likely DoS the web servers too.

I believe its unlikely that anything much will come of this, but of course I could be wrong. Look for surges in traffic volume, or traffic on UDP8998. Do that for about 5 minutes, then go home for the weekend.

By Sunday when this thing triggers again, all 20 IPs will almost definitely be closed.

Cheers,
Russ - NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Whatever Happened to Octopus?

LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.

http://portal1.legato.com/products/replistor/upgrade.cfm

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Russ: "Re: A Free security updates deployment tool is available (hfnetFU)"
• Next in thread: Gary Warner: "Re: SoBig.F Phase 2 - about to start, or not"
• Reply: Gary Warner: "Re: SoBig.F Phase 2 - about to start, or not"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Norton Internet Security 2003 blacklist fault? ... Implementing host name blocking, while sounding fairly straight-forward, is ... LEGATO RepliStor, formerly known as Octopus, delivers breakthrough ... asynchronous, real-time replication, to deliver disaster recovery, data ... (NT-Bugtraq) hfnetFU is gone, now it is MbsaFU ... recipient is not a waiver of any attorney-client or work product privilege. ... LEGATO RepliStor, formerly known as Octopus, delivers breakthrough ... asynchronous, real-time replication, to deliver disaster recovery, data ... (NT-Bugtraq) Norton Internet Security 2003 blacklist fault? ... Whatever Happened to Octopus? ... LEGATO RepliStor, formerly known as Octopus, delivers breakthrough ... asynchronous, real-time replication, to deliver disaster recovery, data ... (NT-Bugtraq) Re: Patching MS03-026 on Windows XP SP1 ... although the registry key shows the patch as installed. ... LEGATO RepliStor, formerly known as Octopus, delivers breakthrough ... asynchronous, real-time replication, to deliver disaster recovery, data ... (NT-Bugtraq) New IIS security hole? ... index pages on sites I host at a nationally-known hosting provider began to ... LEGATO RepliStor, formerly known as Octopus, delivers breakthrough ... asynchronous, real-time replication, to deliver disaster recovery, data ... (NT-Bugtraq)