Re: Anyone else seeing a radical increase in Sobig?

From: James C. Slora Jr. (Jim.Slora_at_phra.com)
Date: 08/20/03

  • Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
    To: "Chip Mefford" <cmefford@avwashington.com>, <incidents@securityfocus.com>
    Date: Wed, 20 Aug 2003 07:22:45 -0400
    
    

    Chip Mefford wrote
    > As of ~0930 GMT -5, we started seeing a large
    > group of emails containing Win32/Sobig.F@mm
    > more in the last 2 hours than we've seen in the
    > last 4 months. Comming from different netblocks
    > as well.

    Oh, yes. This is huge. I've gotten hundreds so far. All come through
    low-priority MXs, and they appear to use the same list of addresses to fake
    the "From" field and the recipient.

    About 1/10 of the incoming infected messages are "returned mail"
    notifications from over quota, no such address, etc. Some of them are from
    mail servers that are _STILL_ in this day and age configured to return
    virus-infected mail intact.

    This means that badly configured or inflexible antivirus screeners are
    helping distribute to the virus by returning it to the "From" address faked
    by the virus.

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: Microsoft extinguishes windowsupdate.com
      ... Subject: Microsoft 'extinguishes' windowsupdate.com ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: lots of sobig virus emails.
      ... they shouldn't be sending mail to the ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)