Re: SoBig.F Phase 2 - about to start, or not

From: Gary Warner (gar_at_ASKGAR.COM)
Date: 08/22/03

  • Next message: Russ: "Re: www.windowupdate.com GONE - What about the little people?"
    Date:         Fri, 22 Aug 2003 14:11:11 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    as of RIGHT NOW the second address on the list is still responding to
    traffic, and it *IS* listening on port 80.

    HOPEFULLY that is someone's honeypot box and not the real ComCast box.

    (The ping times are REALLY long on that box....wonder why?)

    (This is my name-checks on the IP addresses released by ISS X-Force)

       67.73.21.6 - dialup-67.73.21.6.Dial1.LosAngeles1.Level3.net
       68.38.159.161 - pcp04447100pcs.verona01.nj.comcast.net
       67.9.241.67 - cs679241-67.jam.rr.com
       66.131.207.81 - modemcable081.207-131-66.nowhere.mc.videotron.ca
       65.177.240.194 - sdn-ap-030caburbP0194.dialsprint.net
       65.93.81.59 - Kingston-HSE-ppp3559860.sympatico.ca
       65.95.193.138 - Toronto-HSE-ppp3672941.sympatico.ca
       65.92.186.145 - HSE-Montreal-ppp3465567.sympatico.ca
       63.250.82.87 - ???
       65.92.80.218 - HSE-Toronto-ppp3480573.sympatico.ca
       61.38.187.59 - ???
       24.210.182.156 - dhcp024-210-182-156.woh.rr.com
       24.202.91.43 - modemcable043.91-202-24.mtl.mc.videotron.ca
       24.206.75.137 - user-0ccis9.cable.mindspring.com
       24.197.143.132 - ip-24-197-143-132.spart.sc.charter.com
       12.158.102.205 - ???
       24.33.66.38 - cpe-024-033-066-038.cinci.rr.com
       218.147.164.29 - ???
       12.232.104.221 - 12-232-104-221.client.attbi.com
       68.50.208.96 - pcp694043pcs.anaprd01.md.comcast.net

    _-_
    gar

    Russ wrote:
    >
    > You know me, I like to go out on a limb.
    >
    > SoBig.F has an additional component (to the virus mass-mailing), it checks in with 20 IP addresses (home machines, we believe) that are listening on UDP 8998. Those machines return an encrypted web address, which the SoBig.F infected machines are supposed to then go to and pick up some executable. What that executable will do is unknown, but if anything, it most likely spams (the SoBig author has been known to spam from infected machines.)
    >
    > People have been hard at work ensuring the 20 machines are blocked, but they may not be. This thing triggers at 1900 UTC, all machines will go at that point.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Whatever Happened to Octopus?

    LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
    replication performance that's 5X faster than the competition in an
    independent head-to-head test. Learn how RepliStor uses patented,
    asynchronous, real-time replication, to deliver disaster recovery, data
    distribution and consolidated backups. It is the first replication solution
    to achieve Windows 2003 certification. Get the performance report now.

    http://portal1.legato.com/products/replistor/upgrade.cfm

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Re: www.windowupdate.com GONE - What about the little people?"