Re: SoBig.F Phase 2 - about to start, or not
From: Gary Warner (gar_at_ASKGAR.COM)
Date: Fri, 22 Aug 2003 14:11:11 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
as of RIGHT NOW the second address on the list is still responding to
traffic, and it *IS* listening on port 80.
HOPEFULLY that is someone's honeypot box and not the real ComCast box.
(The ping times are REALLY long on that box....wonder why?)
(This is my name-checks on the IP addresses released by ISS X-Force)
126.96.36.199 - dialup-188.8.131.52.Dial1.LosAngeles1.Level3.net
184.108.40.206 - pcp04447100pcs.verona01.nj.comcast.net
220.127.116.11 - cs679241-67.jam.rr.com
18.104.22.168 - modemcable081.207-131-66.nowhere.mc.videotron.ca
22.214.171.124 - sdn-ap-030caburbP0194.dialsprint.net
126.96.36.199 - Kingston-HSE-ppp3559860.sympatico.ca
188.8.131.52 - Toronto-HSE-ppp3672941.sympatico.ca
184.108.40.206 - HSE-Montreal-ppp3465567.sympatico.ca
220.127.116.11 - ???
18.104.22.168 - HSE-Toronto-ppp3480573.sympatico.ca
22.214.171.124 - ???
126.96.36.199 - dhcp024-210-182-156.woh.rr.com
188.8.131.52 - modemcable043.91-202-24.mtl.mc.videotron.ca
184.108.40.206 - user-0ccis9.cable.mindspring.com
220.127.116.11 - ip-24-197-143-132.spart.sc.charter.com
18.104.22.168 - ???
22.214.171.124 - cpe-024-033-066-038.cinci.rr.com
126.96.36.199 - ???
188.8.131.52 - 12-232-104-221.client.attbi.com
184.108.40.206 - pcp694043pcs.anaprd01.md.comcast.net
> You know me, I like to go out on a limb.
> SoBig.F has an additional component (to the virus mass-mailing), it checks in with 20 IP addresses (home machines, we believe) that are listening on UDP 8998. Those machines return an encrypted web address, which the SoBig.F infected machines are supposed to then go to and pick up some executable. What that executable will do is unknown, but if anything, it most likely spams (the SoBig author has been known to spam from infected machines.)
> People have been hard at work ensuring the 20 machines are blocked, but they may not be. This thing triggers at 1900 UTC, all machines will go at that point.
Whatever Happened to Octopus?
LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.