Sobig.F (was Re: AV/Spam Alert)
From: Rob, grandpa of Ryan, Trevor, Devon & Hannah (rslade_at_SPRINT.CA)
Date: 08/22/03
- Previous message: Nick FitzGerald: "Re: AV/Spam Alert response messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Aug 2003 14:08:15 -0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
While this is not a technical issue, I would like to take this opportunity to try and
make a point.
I would encourage everyone to try to promote some user education in this
instance. Sobig.F is, by my own and a number of other assessments, generating the
largest number of copies of any virus/worm to date. And it is not doing it throw
any sophiscated technical tricks. Simple user education is going to be much more
effective.
Sobig never was sophiscated, and it isn't now. It *doesn't* use the iframe
vulnerability (and only those with old Outlooks would get hit with that, anyway).
OK, it fakes the headers (particularly the From and Return-Path). It uses multiple
subject lines and filenames. But it uses the same message body--"See the attached
file for details"--and that was the same body that the earlier variants used as well.
(One report indicates that Sobig.F may have an "update" capability, but I have not
assessed this yet. I doubt that it will be significant.)
DON'T OPEN FILE ATTACHMENTS. How hard is that? Yes, there are valid
times to use attachments, but the default action should be *not* to open an
attachment. (Note that you should not accept attachments simply because you
know the username it supposedly came from: the way Sobig spoofs addresses
means that it is likely you may know the address it is apparently "from.")
Particuarly when the message body is so vague How many Alices are there out
there, going around swallowing anything that says "Eat Me" and Drink Me"?
*Lots* apparently.
Sobig load is increasing: over 15 hours last night I received 52 copies in my inbox,
up from yesterday's 47 in 20 hours (and, as previously noted, well exceeding the
previous record for Klez at its height). This morning, in a four hour stretch, I got
30. (On the slightly bright side, spammers seem to have been affected: other
spam seems slightly down today :-)
As others have noted, Sobig uses its own SMTP engine, and spoofs both the From
and Return- Path headers on a random basis, so that is no indication. Most subject
lines I have received have been:
Your details
Re: Re: My details
Thank you!
Re: Thank you!
Re: That movie
Re: Your application
Re: Approved
Re: Wicked screensaver
Others may be found in the lists and detailed descriptions at the URLs below.
However, the message body is always "Please see the attached file for details." so
that is a reliable indicator. In addition, I've had a look at more headers, and the
following two seem to appear in every copy I've received:
X-MailScanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Once again, *PLEASE* spread the word: DO NOT OPEN ATTACHMENTS. If
in doubt, don't. Sobig uses no special technology beyond this rather simplistic
social engineering. (Can anyone tell me: is there any content scanner lazy enough
to be bypassed by the X-MailScanner header?)
http://www.sophos.com/virusinfo/analyses/w32sobigf.html
http://www.f-secure.com/v-descs/sobig_f.shtml
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
Ah! When I were lad, we used to 'ave t'wait 40 milliseconds
on noisy channel wi' 'uge 58 volt bits *and* rounded edges
for a network link to come oop--*and* login both ends!
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Whatever Happened to Octopus?
LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.
http://portal1.legato.com/products/replistor/upgrade.cfm
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Nick FitzGerald: "Re: AV/Spam Alert response messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
