An Update on Sobig.F

An Update on Sobig.F

 

Mystery Attack Scheduled for Today

"Toothless" Worm Had Hidden Fangs

August 22 2003

Virus Update

On August 19, we alerted you to the Sobig.F worm that was filling its victims Inbox with avalanches of junk mail. Since then, startling new facts have emerged showing that Sobig is potentially far more destructive than first imagined.

Today, anti-virus vendor F-Secure has alerted the world to hidden attack instructions lurking within Sobig.F's code. The worm's author encrypted these attack instructions, which F-secure successfully decrypted just last night. We now understand more of Sobig.F's attack sequence, and it's like something straight out of a sci-fi thriller novel.

Sobig.F contains a list of 20 IP addresses which belong to different personal computers around the world, all apparently having broadband connections. Sobig.F infected machines have silently synchronized their clocks with the atomic clock (also known as the Universal Time Clock, or UTC). In a massive synchronized attack scheduled for today at 19:00:00 UTC (12:00 PST), the hundreds of thousands of Sobig.F infected machines around the world will authenticate to the 20 IP addresses hidden in the worm's code, download, and execute an unknown mystery program.

Given that Sobig's author has carefully issued, improved, and re-issued the worm six times since January, we take that to mean the mystery program will be more deadly than typical script-kiddie fare. However, note that that is our speculation; it is possible that the code could turn out to be a mild prank that simply displays some ego-driven, hacker message on an infected machine's screen. However, when it comes to your network, we figure "better safe than sorry," so we're treating the attack seriously.

Anti-virus researchers cannot learn what the malicious code will do because it has not been placed on the 20 servers yet for download. They assume the author will upload the code seconds before the massive attack is scheduled to start.

As we wrote this, Reuters reported that law enforcement authorities have shut down 12 of the 20 IP address from which Sobig.F will download its attack. However, because the 20 addresses are scattered around the world, it's unlikely that all will be caught before this attack takes place. Some version of Sobig.F's mystery attack will occur.


Date: 08/24/2004
PDF Form Filling Blog · New WebMail · Racine-Web.com Site Map · Content Management · Sites Design and Hosted by Racine Web Design · Network Operations Center · Anti-Spam with SpamBayes · Virus Alerts · Contact Us · Website Design & Web-Based content management
Server190

http://www.zomix.com/zomix