Sobig-F ready to download mystery program

SearchSecurity.com ^ | 8/22/03 | Edward Hurley,

[6ppc]

Sobig-F ready to download mystery program

By Edward Hurley, SearchSecurity.com News Writer
22 Aug 2003, SearchSecurity.com

A new danger has emerged from the epidemic spread of the mass-mailing Sobig-F worm as security experts warned today that the worm is set to download a mystery program as early as a few hours from now.

Sobig-F is scheduled to download an unknown application every Friday and Sunday starting today through Sept. 10 between 3 p.m. and 6 p.m. EDT. The worm will contact one of 20 remote servers, authenticate itself then receive in turn a URL. It then uses that URL to download an application that it will run.

At 1 p.m. EDT, experts were not sure what the application would be. Some speculate the writer could use those servers and others they have hijacked to launch a distributed denial-of-service attack. Most likely the worm writer won't reveal the URL until just before the coded time range. In the meantime, antivirus experts are trying to disable the 20 servers the worm would use to download the URL. "So far, we have been pretty successful at it," said F-Secure manager of antivirus research Mikko Hypponen.

"The developers of the virus know that we could download the program beforehand, analyze it and come up with countermeasures," Hypponen said. "So apparently their plan is to change the Web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers [will] have already downloaded and run it."

Companies can take some proactive steps today to protect against the worm's downloading. For example, blocking outgoing UDP port 8998 traffic would stop the worm's ability to connect to the servers, said Chris Belthoff, senior security analyst at Lynnfield, Mass.-based Sophos Inc. The worm uses Network Time Protocol to tell time and companies could also disable NTP queries going outside of the network, he said.

Users are encouraged to also update their antivirus pattern files and scan their systems to make sure they are not infected. If they cannot, then turning off infected machines would be an option, Hypponen said. The worm's downloading routine only operates in the three-hour windows on Fridays and Sundays. It will continue the process each week until Sept. 10 when the worm is set to turn itself off.

"I really think this is like a match in a forest fire," said Ian Hameroff, security strategist for Islandia, N.Y.-based Computer Associates International Inc. He noted that Sobig-F is still spreading, albeit at lower levels than earlier in the week.

Talk of what the mystery program is would be speculative. Past Sobig variants did some tricky things. For example, Sobig.E downloaded a program that removed itself from systems to hide itself. Another program on infected machines then tried to steal passwords.

Sobig-F surprised many observers this week. At first, it was believed to be a minor issue because it was sixth variant in a family that has gained mild traction. But improvements to its mailing engine allowed Sobig-F to spread very quickly. So much so, that it choked some networks as infected systems blasted copies of the worm.

[thoughtomator]

Block ICMP at the firewall and shoot all Outlook users. Problem solved!

[Milwaukee_Guy]

Another thread mentioned a 19:00 UCT/Zulu launch window today.

[Swordmaker]

The fact SoBig-F stops attempting to download the mystery program on September 10th, one day before the 2nd anniversary of the World Trade Center attack, may be telling.

Perhaps the malware program is intended to execute on 9/11...

[blastdad51]

My next computer will be a Mac, virus problem solved

[MizSterious]

Sobig update...

[Salo]

I'm on a g4 running osx - it's nice. Kind of expensive, but it's worth it, IMO. You *can* get a virus, but you really have to work at it.

[Milwaukee_Guy]

Ooops should be UTC - Universal Time Coordinated. Same as GMT or the military Zulu time.

[Ernest_at_the_Beach]

Thanks for the ping. Been trying to update my other machine all day, except Microsoft servers are SLOW today! Never did get it done!

OFFICIAL BUMP(TOPIC)LIST

[steplock]

.      .ComputerSecurity
1.  Security Test 3.  Download AVG AntiVirus 5.  Check for Virus Hoaxes	Support Troops!	2.  Download Zone Alarm 4.  Download Ad-Aware 6.

Compliments of www.GoHotSprings.com
.

[Graybeard58]

"Block ICMP at the firewall and shoot all Outlook users. Problem solved"!

I can't convince anyone of the truth of what you say. Good luck to you.

[First_Salute]

Mac's here, too. Running Mac OS X v. 10.2.6. On every Mac, the Mac OS X firewall is on 24/7, in addition to the firewall at the router to the Internet. We routinely monitor that router's (

Linksys broadband gateway model BEFSX41, $64.00 at ecost.com) detailed firewall logs and adjust additional rules accordingly.

So far, most of the attacks on the router are from the Netherlands and the southwest Pacific Rim; also from some AT&T users 'round New Jersey. They are all looking for opportunities at the ports that would be used by Microsoft Windows NT / 2000 / 2003 Servers that are typically acting as routers to the Internet for local area networks.

Inside the local area network, in addition to the Mac's, each PC has its own firewall application permitting only that machine's needed traffic.

For PC's, I'd recommend

Zone Alarm Pro 4.x or the

Kerio Personal Firewall.

General operating rule: The Internet connection must have a firewall and stateful packet inspection ("SPI") enabled.

[beckett]

The IP addys found in the code were taken down.

Internet quiet as Sobig attack deadline passes

[Savage Rider]

I've got a Mac, too, but my bulk e-mail box is getting filled with returned mail that I didn't send. Some worm on someone else's computer is getting my address from their address book and sending out mail that is spoofing my address. The mail gets bounced back to me, so even though I don't have a Mac or use Outlook, I'm being bothered by this worm. I'm at a point where I have to prescreen everything on the server level before I download.

[toupsie]

They say Macs don't run as many programs as Windows. Thank God!

[A CA Guy]

Makes sense since comadore would be equally safe since both are used by at most 3% of computer users.

It isn't that Mac is better, it has just not been a worth the effort to be attacked by hackers.

[martin_fierro]

FREE PC PROTECTION: Spybot S&D: Removes lurking spyware. AdAware: Removes lurking spyware. Bayden Systems Popup Popper: Blocks popup ads well in MSIE MailWasher: Good for pre-screening & bouncing SPAM AVG Anti-Virus Free Edition: Free anti-viral protection Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall

[Salvation]

Here's what I got from Symantec

8/21/2003
_____________________________

In this issue:

1. Virus Alert! W32.Sobig.F@mm
2. Feedback
3. Subscribing and unsubscribing
4. Disclaimer
_____________________________

NOTE: This is an outgoing email address. Do not reply to this email
message. If you require assistance with installing, configuring, or
troubleshooting a Symantec product, or if you have a question for Customer
Service, then visit the Symantec Service & Support Web site at the
following Internet address:

http://www.symantec.com/techsupp/

To view this and prior News Bulletins in HTML format, visit the following
Internet address:

http://www.symantec.com/techsupp/vURL.cgi/navarc

_____________________________

1. Virus Alert! W32.Sobig.F@MM

Due to the number of submissions received from customers, Symantec Security
Response has upgraded this threat to a Category 4 from a Category 3 threat
as of August 21, 2003.

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to
all the email addresses it finds in the files that have the following
extensions:

.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt


The worm uses its own SMTP engine to propagate and attempts to create a
copy of itself on accessible network shares, but fails due to bugs in the
code.

This threat will be detected by virus definitions having August 19, 2003.

Symantec Security Response has developed a removal tool to clean the
infections of W32.Sobig.F@mm:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html

Also Known As: Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F
[Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA], I-Worm.Sobig.f [KAV]
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows
NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x

For additional information, visit the following Internet address:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
_____________________________

2. Feedback

Do you have feedback that can help us provide better products or services?
If so, then we want to hear from you. Visit the Symantec suggestion box at
the following Internet address, and let us know how we can improve:

http://www.symantec.com/feedback/
_____________________________

3. Subscribing and unsubscribing

If you want to subscribe to other Symantec newsletters, or you want to
unsubscribe, then follow the instructions at the following Internet
address:

http://www.symantec.com/techsupp/bulletin/index.html

If you are unable to successfully unsubscribe, then follow these steps:

1. Create a new email message addressed to:

LISTSERV@LSERVER.SYMANTEC.COM

2. In the Subject line, type the following:

UNSUBSCRIBE

3. In the body of the message, type the following:

SIGNOFF NAV-TECHINFO-L

4. Send the message.

If you want to unsubscribe from other Symantec newsletters, then follow the
above steps changing the SIGNOFF list name in step 3 to the appropriate
list name. Each News Bulletin you receive will contain the correct list
name.

_____________________________

4. Disclaimer

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

This message contains Symantec Corporation's current view of the topics
discussed as of the date of this document. The information contained in
this message is provided "as is" without warranty of any kind, either
expressed or implied, including but not limited to the implied warranties
of merchantability, fitness for a particular purpose, and freedom from
infringement. The user assumes the entire risk as to the accuracy and the
use of this document. This document may not be distributed for profit.

Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder(s).

(c) Copyright 2003 Symantec Corporation. All rights reserved. Materials may
not be published in other documents without the express, written permission
of Symantec Corporation.

[IncPen]

It isn't that Mac is better, it has just not been a worth the effort to be attacked by hackers.

I wonder why the users of Microsoft Products don't hie their asses into court as a class and sue Bill Gates for malfeasance. His company continously and purposely sells defective merchandise.

I can't believe that the twice weekly security warnings coming out of Redmond are contemporary; someone within Microsoft knows about these things and fails to act.

The purveyors of this Swiss-cheese software are as guilty as the hackers, if not moreso, in my opinion.