** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 08/22/03


Date: Fri, 22 Aug 2003 13:30:32 -0400


Relatively new information about the Sobig.F worm activity happening TODAY:

Around 3:00pm to 6:00pm today EST, Friday 22 August 2003 and Sunday 24
August 2003, computers that are currently infected with the Sobig.F worm
will be directed by the worm to connect to the Internet and then download
and run a mystery program.

No one knows what this program will do. AFAIK, the virus authors are not
making the download executable available until the attack begins.

Antivirus updates downloaded August 19 or later should detect Sobig.F.

The Sobig.F worm is believed to use the ports UDP 8998 as well as 995
through 999 UDP [the former for command and control outbound from the
infected device possibly involving the "master servers," the others opened
and listening inbound on the infected workstation].

There is a list of the host names and IP addresses the ones the worm will
attempt to download from, but this list is not yet public information as far
as I know. Reportedly it may be on www.google.com/groups, but I didn't see
it when I searched.

Sobig.F infected machines may be using UDP port 123 [NTP] to check the time
once per hour from one of the time servers below:

 200.68.60.246
 62.119.40.98
 150.254.183.15
 132.181.12.13
 193.79.237.14
 131.188.3.222
 131.188.3.220
 193.5.216.14
 193.67.79.202
 133.100.11.8
 193.204.114.232
 138.96.64.10
 chronos.cru.fr
 212.242.86.186
 128.233.3.101
 142.3.100.2
 200.19.119.69
 137.92.140.80
 129.132.2.21

A workstation infected with Sobig.F should contain the following file and
registry entries:

 %windir%\winppr32.exe e.g. c:\winnt\winppr32.exe

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "TrayX" = %windir%\winppr32.exe /sinc

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "TrayX" = %windir%\winppr32.exe /sinc

As new information is discovered about the purpose of this mystery program
download, it will be posted at the sites below:

http://www.f-secure.com/v-descs/sobig_f.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

Other sites with information:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
&VSect=T
http://vil.nai.com/vil/content/v_100561.htm

I received this information pretty much only from the F-secure.com mailing
list [though it's corroborated by the Symantec web site as well].

-----Original Message-----
From: Sirkia, Jaana [mailto:Jaana.Sirkia@F-Secure.com]
Sent: Friday, August 22, 2003 8:38 AM
To: press-pr@lists.F-Secure.com;
press-english-virus-announcement@lists.F-Secure.com;
press-english-technical@lists.F-Secure.com
Subject: MEDIA RELEASE:A potentially massive Internet attack starts
today

This press release comes from F-Secure. For more
information on F-Secure's mailing list policy,
see end of message.

PRESS RELEASE

August 22, 2003

A potentially massive Internet attack starts today
Sobig.F downloads and executes a mysterious program on Friday at 19:00 UTC

F-Secure Corporation is warning about a new level of attack to be unleashed
by the Sobig.F worm today.

Windows e-mail worm Sobig.F, which is currently the most widespread worm in
the world, has created massive e-mail outages globally since it was found on
Tuesday the 18th of August - four days ago. The worm spreads itself via
infected e-mail attachments in e-mails with a spoofed sender address. Total
amount of infected e-mails seen in the Internet since this attack started is
close to 100 million.

However, the Sobig.F worm has a surprise attack in its sleeve. All the
infected computers are entering a second phase today, on Friday the 22nd of
August, 2003. These computers are using atom clocks to synchronize the
activation to start exactly at the same time around the world: at 19:00:00
UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).

On this moment, the worm starts to connect to machines found from an
encrypted list hidden in the virus body. The list contains the address of 20
computers located in USA, Canada and South Korea.

"These 20 machines seem to be typical home PCs, connected to the Internet
with always-on DSL connections", says Mikko Hypponen, Director of Anti-Virus
Research at F-Secure. "Most likely the party behind Sobig.F has broken into
these computers and they are now being misused to be part of this attack".

The worm connects to one of these 20 servers and authenticates itself with a
secret 8-byte code. The servers respond with a web address. Infected
machines
download a program from this address - and run it. At this moment it is
completely unknown what this mystery program will do.

F-Secure has been able to break into this system and crack the encryption,
but currently the web address sent by the servers doesn't go anywhere. "The
developers of the virus know that we could download the program beforehand,
analyse it and come up with countermeasures", says Hypponen. "So apparently
their plan is to change the web address to point to the correct address or
addresses just seconds before the deadline. By the time we get a copy of the
file, the infected computers have already downloaded and run it".

Right now, nobody knows what this program does. It could do damage, like
deleting files or unleash network attacks. Earlier versions of Sobig have
executed similar but simpler routines. With Sobig.E, the worm downloaded a
program which removed the virus itself (to hide its tracks), and then
started
to steal users network and web passwords. After this the worm installed a
hidden email proxy, which has been used by various spammers to send their
bulk commercial emails through these machines without the owners of the
computers knowing anything about it. Sobig.F might do something similar -
but
we won't know until 19:00 UTC today.

"As soon as we were able to crack the encryption used by the worm to hide
the
list of the 20 machines, we've been trying to close them down", explains
Mikko Hypponen. F-Secure has been working with officials, authorities and
various CERT organizations to disconnect these machines from the Internet.
"Unfortunately, the writers of this virus have been waiting for this move
too." These 20 machines are chosen from the networks of different operators,
making it quite likely that there won't be enough time to take them all down
by 19:00 UTC. Even if just one stays up, it will be enough for the worm.

The advanced techniques used by the worm make it quite obvious it's not
written by a typical teenage virus writer. The fact that previous Sobig
variants we're used by spammers on a large scale adds an element of
financial
gain. Who's behind all this? "Looks like organized crime to me", comments
Mikko Hypponen.

F-Secure is monitoring the Sobig.F developments through the night on Friday
the 22nd. Updates will be posted to Sobig.F's virus description at
http://www.f-secure.com/v-descs/sobig_f.shtml

F-Secure Anti-Virus can detect and stop this worm. F-Secure Anti-Virus can
be
downloaded from http://www.f-secure.com

About F-Secure

F-Secure Corporation is the leading provider of centrally managed security
solutions for the mobile enterprise. The company's award-winning products
include antivirus, file encryption and network security solutions for major
platforms from desktops to servers and from laptops to handhelds. Founded in
1988, F-Secure has been listed on the Helsinki Exchanges since November
1999.
The company is headquartered in Helsinki, Finland, with the North American
headquarters in San Jose, California, as well as offices in Germany, Sweden,
Japan and the United Kingdom and regional offices in the USA. F-Secure is
supported by a network of value added resellers and distributors in over 90
countries around the globe. Through licening and distribution agreements,
the
company's security applications are available for the products of the
leading
handheld equipment manufacturers, such as Nokia and HP.

Finland:
F-Secure Corporation
Mikko Hypponen, Director, Anti-Virus Research
PL 24
FIN-00181 Helsinki
Tel +358 9 2520 5513
Fax. +358 9 2520 5001
Email Mikko.Hypponen@F-Secure.com

For more information, please contact:

Media contact in the USA:
F-Secure Inc.
Heather Deem,
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel +1 408 350 2178
Fax +1 408 938 6701
Email Heather.Deem@F-Secure.com

http://www.F-Secure.com/

Mailing list policy

You have previously expressed interest in our products, or have asked to be
included on one of our press release lists by personally giving us your
e-mail address for this purpose. Our mailing list are for the exclusive use
and the expressed purpose of F-Secure and are not sold or given to third
parties.

If you no longer wish to receive our press releases, or your email address
has been added to our lists without your consent, you can unsubscribe at
http://www.F-Secure.com/news/subscribe.html

If you only wish to receive our press releases concerning viruses,
please go to
http://www.F-Secure.com/news/subscribe.html
and first unsubscribe from
press-english-interest@lists.F-Secure.com
and then subscribe to
press-english-virus-announcement@lists.F-Secure.com

*****************************************
Jaana Sirkiš, Communications Manager
F-Secure Corporation
PL 24
FIN 00181-Helsinki
Tel. +358 9 2520 5290
Fax +358 9 2520 5018
Mobile +358 400 303096
http://www.F-Secure.com
*******************************************