Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
From: Jonathan Maltz [MS-MVP] (jmaltz_at_mvps.org)
Date: Fri, 22 Aug 2003 21:23:14 -0400
Anyone find out what this mystery EXE is?
-- --Jonathan Maltz [Microsoft MVP - Windows Server] http://www.imbored.biz - A Windows Server 2003 visual, step-by-step tutorial site :-) Only reply by newsgroup. If I see an email I didn't ask for, it will be deleted without reading. "Karl Levinson [x y] mvp" <firstname.lastname@example.org> wrote in message news:eUHy2KNaDHA.1492@TK2MSFTNGP12.phx.gbl... > > Relatively new information about the Sobig.F worm activity happening TODAY: > > Around 3:00pm to 6:00pm today EST, Friday 22 August 2003 and Sunday 24 > August 2003, computers that are currently infected with the Sobig.F worm > will be directed by the worm to connect to the Internet and then download > and run a mystery program. > > No one knows what this program will do. AFAIK, the virus authors are not > making the download executable available until the attack begins. > > Antivirus updates downloaded August 19 or later should detect Sobig.F. > > The Sobig.F worm is believed to use the ports UDP 8998 as well as 995 > through 999 UDP [the former for command and control outbound from the > infected device possibly involving the "master servers," the others opened > and listening inbound on the infected workstation]. > > There is a list of the host names and IP addresses the ones the worm will > attempt to download from, but this list is not yet public information as far > as I know. Reportedly it may be on www.google.com/groups, but I didn't see > it when I searched. > > Sobig.F infected machines may be using UDP port 123 [NTP] to check the time > once per hour from one of the time servers below: > > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > chronos.cru.fr > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > > A workstation infected with Sobig.F should contain the following file and > registry entries: > > %windir%\winppr32.exe e.g. c:\winnt\winppr32.exe > > [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] > "TrayX" = %windir%\winppr32.exe /sinc > > [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] > "TrayX" = %windir%\winppr32.exe /sinc > > > As new information is discovered about the purpose of this mystery program > download, it will be posted at the sites below: > > http://www.f-secure.com/v-descs/sobig_f.shtml > http://email@example.com > > Other sites with information: > > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F > &VSect=T > http://vil.nai.com/vil/content/v_100561.htm > > > I received this information pretty much only from the F-secure.com mailing > list [though it's corroborated by the Symantec web site as well]. > > > > > > > -----Original Message----- > From: Sirkia, Jaana [mailto:Jaana.Sirkia@F-Secure.com] > Sent: Friday, August 22, 2003 8:38 AM > To: press-pr@lists.F-Secure.com; > press-english-virus-announcement@lists.F-Secure.com; > press-english-technical@lists.F-Secure.com > Subject: MEDIA RELEASE:A potentially massive Internet attack starts > today > > > > > > This press release comes from F-Secure. For more > information on F-Secure's mailing list policy, > see end of message. > > PRESS RELEASE > > August 22, 2003 > > A potentially massive Internet attack starts today > Sobig.F downloads and executes a mysterious program on Friday at 19:00 UTC > > F-Secure Corporation is warning about a new level of attack to be unleashed > by the Sobig.F worm today. > > Windows e-mail worm Sobig.F, which is currently the most widespread worm in > the world, has created massive e-mail outages globally since it was found on > Tuesday the 18th of August - four days ago. The worm spreads itself via > infected e-mail attachments in e-mails with a spoofed sender address. Total > amount of infected e-mails seen in the Internet since this attack started is > close to 100 million. > > However, the Sobig.F worm has a surprise attack in its sleeve. All the > infected computers are entering a second phase today, on Friday the 22nd of > August, 2003. These computers are using atom clocks to synchronize the > activation to start exactly at the same time around the world: at 19:00:00 > UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney). > > On this moment, the worm starts to connect to machines found from an > encrypted list hidden in the virus body. The list contains the address of 20 > computers located in USA, Canada and South Korea. > > "These 20 machines seem to be typical home PCs, connected to the Internet > with always-on DSL connections", says Mikko Hypponen, Director of Anti-Virus > Research at F-Secure. "Most likely the party behind Sobig.F has broken into > these computers and they are now being misused to be part of this attack". > > The worm connects to one of these 20 servers and authenticates itself with a > secret 8-byte code. The servers respond with a web address. Infected > machines > download a program from this address - and run it. At this moment it is > completely unknown what this mystery program will do. > > F-Secure has been able to break into this system and crack the encryption, > but currently the web address sent by the servers doesn't go anywhere. "The > developers of the virus know that we could download the program beforehand, > analyse it and come up with countermeasures", says Hypponen. "So apparently > their plan is to change the web address to point to the correct address or > addresses just seconds before the deadline. By the time we get a copy of the > file, the infected computers have already downloaded and run it". > > Right now, nobody knows what this program does. It could do damage, like > deleting files or unleash network attacks. Earlier versions of Sobig have > executed similar but simpler routines. With Sobig.E, the worm downloaded a > program which removed the virus itself (to hide its tracks), and then > started > to steal users network and web passwords. After this the worm installed a > hidden email proxy, which has been used by various spammers to send their > bulk commercial emails through these machines without the owners of the > computers knowing anything about it. Sobig.F might do something similar - > but > we won't know until 19:00 UTC today. > > "As soon as we were able to crack the encryption used by the worm to hide > the > list of the 20 machines, we've been trying to close them down", explains > Mikko Hypponen. F-Secure has been working with officials, authorities and > various CERT organizations to disconnect these machines from the Internet. > "Unfortunately, the writers of this virus have been waiting for this move > too." These 20 machines are chosen from the networks of different operators, > making it quite likely that there won't be enough time to take them all down > by 19:00 UTC. Even if just one stays up, it will be enough for the worm. > > The advanced techniques used by the worm make it quite obvious it's not > written by a typical teenage virus writer. The fact that previous Sobig > variants we're used by spammers on a large scale adds an element of > financial > gain. Who's behind all this? "Looks like organized crime to me", comments > Mikko Hypponen. > > F-Secure is monitoring the Sobig.F developments through the night on Friday > the 22nd. Updates will be posted to Sobig.F's virus description at > http://www.f-secure.com/v-descs/sobig_f.shtml > > > F-Secure Anti-Virus can detect and stop this worm. F-Secure Anti-Virus can > be > downloaded from http://www.f-secure.com > > About F-Secure > > F-Secure Corporation is the leading provider of centrally managed security > solutions for the mobile enterprise. The company's award-winning products > include antivirus, file encryption and network security solutions for major > platforms from desktops to servers and from laptops to handhelds. Founded in > 1988, F-Secure has been listed on the Helsinki Exchanges since November > 1999. > The company is headquartered in Helsinki, Finland, with the North American > headquarters in San Jose, California, as well as offices in Germany, Sweden, > Japan and the United Kingdom and regional offices in the USA. F-Secure is > supported by a network of value added resellers and distributors in over 90 > countries around the globe. Through licening and distribution agreements, > the > company's security applications are available for the products of the > leading > handheld equipment manufacturers, such as Nokia and HP. > > Finland: > F-Secure Corporation > Mikko Hypponen, Director, Anti-Virus Research > PL 24 > FIN-00181 Helsinki > Tel +358 9 2520 5513 > Fax. +358 9 2520 5001 > Email Mikko.Hypponen@F-Secure.com > > > For more information, please contact: > > Media contact in the USA: > F-Secure Inc. > Heather Deem, > 675 N. First Street, 5th Floor > San Jose, CA 95112 > Tel +1 408 350 2178 > Fax +1 408 938 6701 > Email Heather.Deem@F-Secure.com > > > http://www.F-Secure.com/ > > > Mailing list policy > > You have previously expressed interest in our products, or have asked to be > included on one of our press release lists by personally giving us your > e-mail address for this purpose. Our mailing list are for the exclusive use > and the expressed purpose of F-Secure and are not sold or given to third > parties. > > If you no longer wish to receive our press releases, or your email address > has been added to our lists without your consent, you can unsubscribe at > http://www.F-Secure.com/news/subscribe.html > > If you only wish to receive our press releases concerning viruses, > please go to > http://www.F-Secure.com/news/subscribe.html > and first unsubscribe from > press-english-interest@lists.F-Secure.com > and then subscribe to > press-english-virus-announcement@lists.F-Secure.com > > ***************************************** > Jaana Sirkiš, Communications Manager > F-Secure Corporation > PL 24 > FIN 00181-Helsinki > Tel. +358 9 2520 5290 > Fax +358 9 2520 5018 > Mobile +358 400 303096 > http://www.F-Secure.com > ******************************************* > > > > > > > > >