Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]

From: Jonathan Maltz [MS-MVP] (jmaltz_at_mvps.org)
Date: 08/23/03


Date: Fri, 22 Aug 2003 21:23:14 -0400


Anyone find out what this mystery EXE is?

-- 
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup.  If I see an email I didn't ask for, it will be
deleted without reading.
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:eUHy2KNaDHA.1492@TK2MSFTNGP12.phx.gbl...
>
> Relatively new information about the Sobig.F worm activity happening
TODAY:
>
> Around 3:00pm to 6:00pm today EST, Friday 22 August 2003 and Sunday 24
> August 2003, computers that are currently infected with the Sobig.F worm
> will be directed by the worm to connect to the Internet and then download
> and run a mystery program.
>
> No one knows what this program will do.  AFAIK, the virus authors are not
> making the download executable available until the attack begins.
>
> Antivirus updates downloaded August 19 or later should detect Sobig.F.
>
> The Sobig.F worm is believed to use the ports UDP 8998 as well as 995
> through 999 UDP [the former for command and control outbound from the
> infected device possibly involving the "master servers," the others opened
> and listening inbound on the infected workstation].
>
> There is a list of the host names and IP addresses the ones the worm will
> attempt to download from, but this list is not yet public information as
far
> as I know.  Reportedly it may be on www.google.com/groups, but I didn't
see
> it when I searched.
>
> Sobig.F infected machines may be using UDP port 123 [NTP] to check the
time
> once per hour from one of the time servers below:
>
>  200.68.60.246
>  62.119.40.98
>  150.254.183.15
>  132.181.12.13
>  193.79.237.14
>  131.188.3.222
>  131.188.3.220
>  193.5.216.14
>  193.67.79.202
>  133.100.11.8
>  193.204.114.232
>  138.96.64.10
>  chronos.cru.fr
>  212.242.86.186
>  128.233.3.101
>  142.3.100.2
>  200.19.119.69
>  137.92.140.80
>  129.132.2.21
>
> A workstation infected with Sobig.F should contain the following file and
> registry entries:
>
>  %windir%\winppr32.exe    e.g. c:\winnt\winppr32.exe
>
>  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
>  "TrayX" = %windir%\winppr32.exe /sinc
>
>  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
>  "TrayX" = %windir%\winppr32.exe /sinc
>
>
> As new information is discovered about the purpose of this mystery program
> download, it will be posted at the sites below:
>
> http://www.f-secure.com/v-descs/sobig_f.shtml
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
>
> Other sites with information:
>
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
> &VSect=T
> http://vil.nai.com/vil/content/v_100561.htm
>
>
> I received this information pretty much only from the F-secure.com mailing
> list [though it's corroborated by the Symantec web site as well].
>
>
>
>
>
>
> -----Original Message-----
> From: Sirkia, Jaana [mailto:Jaana.Sirkia@F-Secure.com]
> Sent: Friday, August 22, 2003 8:38 AM
> To: press-pr@lists.F-Secure.com;
> press-english-virus-announcement@lists.F-Secure.com;
> press-english-technical@lists.F-Secure.com
> Subject: MEDIA RELEASE:A potentially massive Internet attack starts
> today
>
>
>
>
>
> This press release comes from F-Secure. For more
> information on F-Secure's mailing list policy,
> see end of message.
>
> PRESS RELEASE
>
> August 22, 2003
>
> A potentially massive Internet attack starts today
> Sobig.F downloads and executes a mysterious program on Friday at 19:00 UTC
>
> F-Secure Corporation is warning about a new level of attack to be
unleashed
> by the Sobig.F worm today.
>
> Windows e-mail worm Sobig.F, which is currently the most widespread worm
in
> the world, has created massive e-mail outages globally since it was found
on
> Tuesday the 18th of August - four days ago. The worm spreads itself via
> infected e-mail attachments in e-mails with a spoofed sender address.
Total
> amount of infected e-mails seen in the Internet since this attack started
is
> close to 100 million.
>
> However, the Sobig.F worm has a surprise attack in its sleeve. All the
> infected computers are entering a second phase today, on Friday the 22nd
of
> August, 2003. These computers are using atom clocks to synchronize the
> activation to start exactly at the same time around the world: at 19:00:00
> UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in
Sydney).
>
> On this moment, the worm starts to connect to machines found from an
> encrypted list hidden in the virus body. The list contains the address of
20
> computers located in USA, Canada and South Korea.
>
> "These 20 machines seem to be typical home PCs, connected to the Internet
> with always-on DSL connections", says Mikko Hypponen, Director of
Anti-Virus
> Research at F-Secure. "Most likely the party behind Sobig.F has broken
into
> these computers and they are now being misused to be part of this attack".
>
> The worm connects to one of these 20 servers and authenticates itself with
a
> secret 8-byte code. The servers respond with a web address. Infected
> machines
> download a program from this address - and run it. At this moment it is
> completely unknown what this mystery program will do.
>
> F-Secure has been able to break into this system and crack the encryption,
> but currently the web address sent by the servers doesn't go anywhere.
"The
> developers of the virus know that we could download the program
beforehand,
> analyse it and come up with countermeasures", says Hypponen. "So
apparently
> their plan is to change the web address to point to the correct address or
> addresses just seconds before the deadline. By the time we get a copy of
the
> file, the infected computers have already downloaded and run it".
>
> Right now, nobody knows what this program does. It could do damage, like
> deleting files or unleash network attacks. Earlier versions of Sobig have
> executed similar but simpler routines. With Sobig.E, the worm downloaded a
> program which removed the virus itself (to hide its tracks), and then
> started
> to steal users network and web passwords. After this the worm installed a
> hidden email proxy, which has been used by various spammers to send their
> bulk commercial emails through these machines without the owners of the
> computers knowing anything about it. Sobig.F might do something similar -
> but
> we won't know until 19:00 UTC today.
>
> "As soon as we were able to crack the encryption used by the worm to hide
> the
> list of the 20 machines, we've been trying to close them down", explains
> Mikko Hypponen. F-Secure has been working with officials, authorities and
> various CERT organizations to disconnect these machines from the Internet.
> "Unfortunately, the writers of this virus have been waiting for this move
> too." These 20 machines are chosen from the networks of different
operators,
> making it quite likely that there won't be enough time to take them all
down
> by 19:00 UTC. Even if just one stays up, it will be enough for the worm.
>
> The advanced techniques used by the worm make it quite obvious it's not
> written by a typical teenage virus writer. The fact that previous Sobig
> variants we're used by spammers on a large scale adds an element of
> financial
> gain. Who's behind all this? "Looks like organized crime to me", comments
> Mikko Hypponen.
>
> F-Secure is monitoring the Sobig.F developments through the night on
Friday
> the 22nd. Updates will be posted to Sobig.F's virus description at
> http://www.f-secure.com/v-descs/sobig_f.shtml
>
>
> F-Secure Anti-Virus can detect and stop this worm. F-Secure Anti-Virus can
> be
> downloaded from http://www.f-secure.com
>
> About F-Secure
>
> F-Secure Corporation is the leading provider of centrally managed security
> solutions for the mobile enterprise. The company's award-winning products
> include antivirus, file encryption and network security solutions for
major
> platforms from desktops to servers and from laptops to handhelds. Founded
in
> 1988, F-Secure has been listed on the Helsinki Exchanges since November
> 1999.
> The company is headquartered in Helsinki, Finland, with the North American
> headquarters in San Jose, California, as well as offices in Germany,
Sweden,
> Japan and the United Kingdom and regional offices in the USA. F-Secure is
> supported by a network of value added resellers and distributors in over
90
> countries around the globe. Through licening and distribution agreements,
> the
> company's security applications are available for the products of the
> leading
> handheld equipment manufacturers, such as Nokia and HP.
>
> Finland:
> F-Secure Corporation
> Mikko Hypponen, Director, Anti-Virus Research
> PL 24
> FIN-00181 Helsinki
> Tel +358 9 2520 5513
> Fax. +358 9 2520 5001
> Email Mikko.Hypponen@F-Secure.com
>
>
> For more information, please contact:
>
> Media contact in the USA:
> F-Secure Inc.
> Heather Deem,
> 675 N. First Street, 5th Floor
> San Jose, CA 95112
> Tel +1 408 350 2178
> Fax +1 408 938 6701
> Email Heather.Deem@F-Secure.com
>
>
> http://www.F-Secure.com/
>
>
> Mailing list policy
>
> You have previously expressed interest in our products, or have asked to
be
> included on one of our press release lists by personally giving us your
> e-mail address for this purpose. Our mailing list are for the exclusive
use
> and the expressed purpose of F-Secure and are not sold or given to third
> parties.
>
> If you no longer wish to receive our press releases, or your email address
> has been added to our lists without your consent, you can unsubscribe at
> http://www.F-Secure.com/news/subscribe.html
>
> If you only wish to receive our press releases concerning viruses,
> please go to
> http://www.F-Secure.com/news/subscribe.html
> and first unsubscribe from
> press-english-interest@lists.F-Secure.com
> and then subscribe to
> press-english-virus-announcement@lists.F-Secure.com
>
> *****************************************
> Jaana Sirkiš, Communications Manager
> F-Secure Corporation
> PL 24
> FIN 00181-Helsinki
> Tel. +358 9 2520 5290
> Fax +358 9 2520 5018
> Mobile +358 400 303096
> http://www.F-Secure.com
> *******************************************
>
>
>
>
>
>
>
>
>