Re: SoBig.F Phase 2 - about to start, or not
From: Gary Warner (gar_at_ASKGAR.COM)
Date: 08/22/03
- Previous message: Mongold, Tom: "MS03-031 patch for Named pipes denial of service bug"
- In reply to: Russ: "SoBig.F Phase 2 - about to start, or not"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Aug 2003 14:11:11 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
as of RIGHT NOW the second address on the list is still responding to
traffic, and it *IS* listening on port 80.
HOPEFULLY that is someone's honeypot box and not the real ComCast box.
(The ping times are REALLY long on that box....wonder why?)
(This is my name-checks on the IP addresses released by ISS X-Force)
67.73.21.6 - dialup-67.73.21.6.Dial1.LosAngeles1.Level3.net
68.38.159.161 - pcp04447100pcs.verona01.nj.comcast.net
67.9.241.67 - cs679241-67.jam.rr.com
66.131.207.81 - modemcable081.207-131-66.nowhere.mc.videotron.ca
65.177.240.194 - sdn-ap-030caburbP0194.dialsprint.net
65.93.81.59 - Kingston-HSE-ppp3559860.sympatico.ca
65.95.193.138 - Toronto-HSE-ppp3672941.sympatico.ca
65.92.186.145 - HSE-Montreal-ppp3465567.sympatico.ca
63.250.82.87 - ???
65.92.80.218 - HSE-Toronto-ppp3480573.sympatico.ca
61.38.187.59 - ???
24.210.182.156 - dhcp024-210-182-156.woh.rr.com
24.202.91.43 - modemcable043.91-202-24.mtl.mc.videotron.ca
24.206.75.137 - user-0ccis9.cable.mindspring.com
24.197.143.132 - ip-24-197-143-132.spart.sc.charter.com
12.158.102.205 - ???
24.33.66.38 - cpe-024-033-066-038.cinci.rr.com
218.147.164.29 - ???
12.232.104.221 - 12-232-104-221.client.attbi.com
68.50.208.96 - pcp694043pcs.anaprd01.md.comcast.net
_-_
gar
Russ wrote:
>
> You know me, I like to go out on a limb.
>
> SoBig.F has an additional component (to the virus mass-mailing), it checks in with 20 IP addresses (home machines, we believe) that are listening on UDP 8998. Those machines return an encrypted web address, which the SoBig.F infected machines are supposed to then go to and pick up some executable. What that executable will do is unknown, but if anything, it most likely spams (the SoBig author has been known to spam from infected machines.)
>
> People have been hard at work ensuring the 20 machines are blocked, but they may not be. This thing triggers at 1900 UTC, all machines will go at that point.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Whatever Happened to Octopus?
LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.
http://portal1.legato.com/products/replistor/upgrade.cfm
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Mongold, Tom: "MS03-031 patch for Named pipes denial of service bug"
- In reply to: Russ: "SoBig.F Phase 2 - about to start, or not"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
