Re: SoBig.F Phase 2 - about to start, or not

From: Gary Warner (gar_at_ASKGAR.COM)
Date: 08/22/03

  • Next message: Russ: "Re: GONE - What about the little people?"
    Date:         Fri, 22 Aug 2003 14:11:11 -0500

    as of RIGHT NOW the second address on the list is still responding to
    traffic, and it *IS* listening on port 80.

    HOPEFULLY that is someone's honeypot box and not the real ComCast box.

    (The ping times are REALLY long on that box....wonder why?)

    (This is my name-checks on the IP addresses released by ISS X-Force) - - - - - - - - - ??? - - ??? - - - - - ??? - - ??? - -


    Russ wrote:
    > You know me, I like to go out on a limb.
    > SoBig.F has an additional component (to the virus mass-mailing), it checks in with 20 IP addresses (home machines, we believe) that are listening on UDP 8998. Those machines return an encrypted web address, which the SoBig.F infected machines are supposed to then go to and pick up some executable. What that executable will do is unknown, but if anything, it most likely spams (the SoBig author has been known to spam from infected machines.)
    > People have been hard at work ensuring the 20 machines are blocked, but they may not be. This thing triggers at 1900 UTC, all machines will go at that point.

    Whatever Happened to Octopus?

    LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
    replication performance that's 5X faster than the competition in an
    independent head-to-head test. Learn how RepliStor uses patented,
    asynchronous, real-time replication, to deliver disaster recovery, data
    distribution and consolidated backups. It is the first replication solution
    to achieve Windows 2003 certification. Get the performance report now.


  • Next message: Russ: "Re: GONE - What about the little people?"