Re: Anyone else seeing a radical increase in Sobig?

From: James C. Slora Jr. (Jim.Slora_at_phra.com)
Date: 08/20/03

  • Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"
    To: "Chip Mefford" <cmefford@avwashington.com>, <incidents@securityfocus.com>
    Date: Wed, 20 Aug 2003 07:22:45 -0400
    
    

    Chip Mefford wrote
    > As of ~0930 GMT -5, we started seeing a large
    > group of emails containing Win32/Sobig.F@mm
    > more in the last 2 hours than we've seen in the
    > last 4 months. Comming from different netblocks
    > as well.

    Oh, yes. This is huge. I've gotten hundreds so far. All come through
    low-priority MXs, and they appear to use the same list of addresses to fake
    the "From" field and the recipient.

    About 1/10 of the incoming infected messages are "returned mail"
    notifications from over quota, no such address, etc. Some of them are from
    mail servers that are _STILL_ in this day and age configured to return
    virus-infected mail intact.

    This means that badly configured or inflexible antivirus screeners are
    helping distribute to the virus by returning it to the "From" address faked
    by the virus.

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"