SoBig.F Packs Few Design Surprises

eWeek ^ | 26, 2003 | Dennis Fisher

[FourPeas]

It turns out that SoBig.F is even less original than previously thought.

The self-updating capability that had anti-virus experts, users and even the FBI scrambling this weekend was in fact present in some of the earlier versions of the virus, albeit in a somewhat less advanced form.

[Tank-FL]

I was shocked on August 19, 2003, when SoBigF began to show up on my corporate network.

I actually saw the thing before Symantec had posted def's for its detection. And this scares the heck out of me.

The false impression of being safe and secure in Anti-Virus software was manifested last week. The fact that a bug could spread prior to def's being updated on a corporate network is a big bad wolf, huffing and puffing getting ready to blow the houses down.

I work in a straw house, I recommend you build brick houses.

[RedBloodedAmerican]

sircam and klez came out before they had fixes, too. And then, McAfee and Norton each had to re-issue updates to their tools for a few days. It only makes sense, IMO, that the virus is in the wild before a fix is made, otherwise would that mean the companies doing the fixes are associated with its (the viruses) distribution? < /tinfoil >

[Tank-FL]

It is just in the past they were discovered and def's were posted in really short order. This is the first time in you 20+ years in IT that I got infections prior to def's being posted.

With my past employer I used a vendor from Norway. For logical reasons this company seemed to be hours ahead of the U.S. companies. I just never had this happen before.

[AppyPappy]

If you are a security type, come in early and look at Hong Kong. They get the viruses first it seems. Then you can delete them from the Exchange server.

[budwiesest]

How hard would it be to track original hackers down and 'delete' them?

[FourPeas]

This works only if a network isn't global, otherwise they just get in when the Hong Kong office opens for business.

[RonF]

Alright -- if this is true, then where were those 20 machines? Who owned/maintained them?

[AppyPappy]

You can check with Hong Kong security admins. They generally see them first because they are hours ahead of us. With email viruses, you can just delete them before anyone gets to work.

[FourPeas]

I've not seen a answer to that ten thousand dollar question. It all seems to be quite hush-hush.

[FourPeas]

That assumes that there *are* HK security admins and that the network is not administered from the states. It also assumes that the network admins have a clue. I'm not sure either one is a valid assumption.

[bigcheese]

Those 20 machines were infected as well... I do not believe the owners had a clue.

[AppyPappy]

That's what we did. We checked the HK websites, found the virus parameters and used them to clean Exchange.