Re: Anyone else seeing a radical increase in Sobig?

From: James C. Slora Jr. (Jim.Slora_at_phra.com)
Date: 08/20/03

Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"

Previous message: Alexander Reelsen: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
In reply to: Chip Mefford: "Anyone else seeing a radical increase in Sobig?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Chip Mefford" <cmefford@avwashington.com>, <incidents@securityfocus.com>
Date: Wed, 20 Aug 2003 07:22:45 -0400

Chip Mefford wrote
> As of ~0930 GMT -5, we started seeing a large
> group of emails containing Win32/Sobig.F@mm
> more in the last 2 hours than we've seen in the
> last 4 months. Comming from different netblocks
> as well.

Oh, yes. This is huge. I've gotten hundreds so far. All come through
low-priority MXs, and they appear to use the same list of addresses to fake
the "From" field and the recipient.

About 1/10 of the incoming infected messages are "returned mail"
notifications from over quota, no such address, etc. Some of them are from
mail servers that are _STILL_ in this day and age configured to return
virus-infected mail intact.

This means that badly configured or inflexible antivirus screeners are
helping distribute to the virus by returning it to the "From" address faked
by the virus.

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

Next message: Peter Ellison: "RE: DCOM worm with get.bat bot.rar"

Previous message: Alexander Reelsen: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
In reply to: Chip Mefford: "Anyone else seeing a radical increase in Sobig?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Increasing ICMP Echo Requests
... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)
Re: Increasing ICMP Echo Requests
... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)
RE: DCOM worm with get.bat bot.rar
... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)
Re: lots of sobig virus emails.
... they shouldn't be sending mail to the ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)
RE: Microsoft extinguishes windowsupdate.com
... Subject: Microsoft 'extinguishes' windowsupdate.com ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
(Incidents)