'Sobig' virus traced to Canadian computer

Ottawa Citizen ^ | August 23, 2003 | Brian Krebs and Joseph Menn, with files from Jason Fekete

[gitmo]

The fastest spreading Internet virus in history, one that experts feared would paralyse the Internet in an attack scheduled for yesterday afternoon, originated on the personal computer of an unwitting user in B.C., authorities said last night.

The "Sobig" worm, which fizzled yesterday when the 'trojan horse'-type program did nothing more than direct users to an Internet porn site, has bombarded computers with almost 100 million junk messages since Tuesday.

The worm ordered infected Windows machines to download a mysterious program yesterday at 3 p.m.

Even at the cusp of the hour, experts remained in the dark as to the purpose of that unknown program.

But rather than erase files, pilfer passwords or create rogue e-mail servers to spread junk messages -- as experts feared -- the virus made an unexpected turn and download an address for an adult Web site.

"There is nothing malicious, just a standard sex site," said Vincent Weaver, security director with Symantec Security Response, an anti-virus software maker.

Still, experts stress there may be other Sobig variants that harbour other more insidious instructions.

Security experts contained the virus by identifying and blocking as many as 19 out of 20 home computers located mainly in Canada and the U.S. that hundreds of thousands of infected PCs were told to contact, said Symantec representatives. The computers were to provide the infected PCs with an address where new and possibly dangerous software could be downloaded.

One of the 20 computers that remained online passed on the porn site address that experts believed to be benign, said Symantec senior director Stephen Trilling. Sobig instructed computers to keep trying to reach the computers every Friday and Sunday until its expiration Sept. 10, Mr. Trilling said.

Meanwhile, the FBI yesterday served a grand jury subpoena on Easynews.com, a Phoenix-based Internet service provider whose network may have been used to disseminate Sobig. The virus is believed to have been released onto Usenet, a kind of Internet bulletin board, by someone with an account at the service provider, according to Michael Minor, the company's co-owner. A stolen credit card number was used to create the account minutes before the virus was unleashed on Monday, Minor said. His company is co-operating with the FBI, he added.

A computer in British Columbia was apparently used to create the account. Experts said the computer belongs to an innocent home user who was hit by a previous version of the virus that allowed the clandestine programmer to seize control of the computer. That makes catching the writer of the virus more difficult, experts said.

The New York Times said computers at its offices in New York City were shut down when they "experienced difficulties" shortly after noon yesterday, but the company wouldn't say for certain that Sobig was the cause but did stress that it would publish today's edition.

The Sobig virus was part of an onslaught of rogue computer programs -- including a form of the Blaster worm which appeared last week -- that have snarled computer networks and disrupted commercial infrastructure over the past two weeks.

Sobig and two other viruses tried to attack the City of Ottawa's 8,000 computer systems yesterday, overwhelming computers and producing customer service interruptions at the city's seven client centres.

The Welchia and Blaster worm viruses, which have been targeting hundreds of thousands of computers around the world, are having the most impact by interrupting the city's services.

The crawlers discreetly use a person's computer to launch Internet-based attacks against other systems or can automatically download massive files, snarling Internet traffic and creating system failures.

System interruptions at the city were first noticed yesterday around 9 a.m. and continued throughout the day, said Michelle Grégoire, manager of the service centres.

"Clients who had bills and tickets with them were able to pay them. We could still do marriage licenses and general employment information," she said. "What we weren't able to do was look up inquiries into the tax system, water system or parking ticket system. We couldn't access that data, so those questions couldn't be answered."

Customers were also unable to access building permits due to system failures, she said.

The city's technical staff said it will likely take most of the weekend to eradicate the viruses, but expect systems will be fully operational by Monday.

[gitmo]

They have porn sites on the internet?

[reagan_fanatic]

Who'd a thunk it?

[prarie earth]

UK papers say this stuff is going to peak for an attack on Sept. 11..can it be done even though we know they are trying to do it?

[Hot Tabasco]

virus made an unexpected turn and download an address for an adult Web site.

Ha! Foiled that dumb ole virus, already had the site bookmarked...... LOL!

[Jim Robinson]

"....has bombarded computers with almost 100 million junk messages since Tuesday"

Hmmmmm.... I think there's an error in this number. I've received at least a 100 million bogus email messages from this worm on my own computer alone.

[gitmo]

Reckon which site was selected for this honor?

[PFKEY]

the FBI yesterday served a grand jury subpoena on Easynews.com, a Phoenix-based Internet service provider whose network may have been used to disseminate Sobig.

I use Easynews newservice, wonder if I have any infections from these guys?

[I still care]

What is the penalty for creating and disseminating a virus with the purpose of damaging people's computers? Because I really hope it's life in prison, I really do.

[X-USAF]

Perhaps one should not use the words "easy" "virus" "infection", and "guy" in one sentence.

[PFKEY]

Perhaps.

Too funny, thanks for the laugh!

[gitmo]

LOL. I thought the same thing.

[gitmo]

UK papers say this stuff is going to peak for an attack on Sept. 11..can it be done even though we know they are trying to do it?

According to Symantec (Norton),
NOTES:

• The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
• The aforementioned deactivation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm infected computer will still attempt to download updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
• Outbound udp traffic was observed on August 22nd coming from systems infected with both Sobig.E and Sobig.F. However the target IP addresses were either nor responding/taken offline or contained not executable content i.e. a link to a adult site.
• W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.

Symantec Security Response has developed a removal tool to clean the infections of W32.Sobig.F@mm.

[X-USAF]

I must have been reading into your sentence, I misquoted you as using the word "virus". Nonetheless, it is a quiet evening and it felt good to make someone laugh.

[PFKEY]

No problem friend.

I wonder what it is the FBI looks for when executing this grad jury subpoena?

[WVNan]

Ha! No way Jim. I got 100 million on mine too.

[livius]

Without going into the "infections" bit too much - yuck, yuck! - I don't think you have anything to worry about.

Actually, I saw on a computer site that security services had tracked down the 20 computers that were supposed to be converted into servers for the virus that was to be activated yesterday. They were all home computers (and were in the US, I believe), and I have no idea how they managed to find them.

Can you imagine innocently sitting at your PC, say, posting to FR, when suddenly the FBI and the Cyber-whatever Task Force appear at your door and tell you that your computer has been taken over by something that is going to try to bring down the Internet? I sure can't!

BTW, they had found 19 of these servers yesterday, and only found the 20th one very late in the game.

Another question: the number (same as number of 9/11 hijackers) made me suspect that this might be connected to ... should I say it? ...the Religion of Peace. Any ideas from anyone?

[EGPWS]

They have porn sites on the internet?

LOL's!

If one hasn't(enjoyed or) been forced to experience "porn" on the internet then one hasn't been on line yet!

It's tough to filter.

[PFKEY]

Can you imagine innocently sitting at your PC, say, posting to FR, when suddenly the FBI and the Cyber-whatever Task Force appear at your door and tell you that your computer has been taken over by something that is going to try to bring down the Internet?

That is a scary thought.

Wonder if they'd fix my PC for me or just take it and not give it back?

[Pharmboy]

Here's the worst pornagraphic site on the net that masquerades as a political site...

[gitmo]

Thanks a lot! Now I'll never get those images out of my mind! AAARRRRRGGGGHHHH