Re: Brace yourselves.. W32/Sobig-F about to mutate...
On Fri, 22 Aug 2003 [EMAIL PROTECTED] wrote: A quick heads up, if anybody hasn't heard: At 1900GMT today, ET phones home, and picks up the next payload of instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, put in a password grabber, and then installed a mail proxy for spammer use. On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea. erm so why dont we just block (preferably bgp null route) these sites?
Re: Brace yourselves.. W32/Sobig-F about to mutate...
If we can post here as soon as these mystery machines and\or ports are known we can all throw up ACLs, but if the wormwriters learned from How to Own the Internet in Your Spare Time, by the time we throw up ACLs, it's probably already too late. scott On Fri, 22 Aug 2003 [EMAIL PROTECTED] wrote: : A quick heads up, if anybody hasn't heard: : : At 1900GMT today, ET phones home, and picks up the next payload of : instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, : put in a password grabber, and then installed a mail proxy for spammer use. : : This one *may* just play the theme song from Bozo the Clown and erase itself, : but I severely doubt it's gonna be that nice. : : http://www.f-secure.com/news/items/news_2003082200.shtml : :
Re: Brace yourselves.. W32/Sobig-F about to mutate...
Just started getting it here...it came from a local Comcast cable user, and so overwhelmed the mail server, that SpamAssassin and qmail-scanner stopped scanning it. I had to nullroute that IP to stop it... it looks like this: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 77869 invoked from network); 22 Aug 2003 17:39:16 - Received: from unknown (HELO localhost) (68.32.237.213) by richard2.pil.net with SMTP; 22 Aug 2003 17:39:16 - From: Microsoft [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Use this patch immediately ! MIME-Version: 1.0 Content-Type: multipart/mixed;boundary= Parts/Attachments: 1 Shown 3 lines Text 2 9.6 KB Application 3 Shown 0 lines Text Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! On Fri, 22 Aug 2003 [EMAIL PROTECTED] wrote: A quick heads up, if anybody hasn't heard: At 1900GMT today, ET phones home, and picks up the next payload of instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, put in a password grabber, and then installed a mail proxy for spammer use. This one *may* just play the theme song from Bozo the Clown and erase itself, but I severely doubt it's gonna be that nice. http://www.f-secure.com/news/items/news_2003082200.shtml James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
RE: Brace yourselves.. W32/Sobig-F about to mutate...
| Stephen J. Wilcox | Sent: Friday, August 22, 2003 2:15 PM | To: [EMAIL PROTECTED] | Cc: [EMAIL PROTECTED] | Subject: Re: Brace yourselves.. W32/Sobig-F about to mutate... | | On Fri, 22 Aug 2003 [EMAIL PROTECTED] wrote: | | A quick heads up, if anybody hasn't heard: | | At 1900GMT today, ET phones home, and picks up the next payload of | instructions. Nobody knows (yet) what they'll be, but SoBig-E erased | itself, | put in a password grabber, and then installed a mail proxy for spammer | use. | | On this moment, the worm starts to connect to machines found from an | encrypted | list hidden in the virus body. The list contains the address of 20 | computers | located in USA, Canada and South Korea. | | erm so why dont we just block (preferably bgp null route) these sites? I believe that InterNAP has already implemented this in all of their PNAP's. Todd --
Re: Brace yourselves.. W32/Sobig-F about to mutate...
Let's not get too spooked -- this is yet another annoyance that exemplifies just how ludicrous the virus writer's one-upmanship really can get, something which has been around for quite some time. Thanks for the heads-up, which is (in my opinion) the appropriate response -- anything resembling panic, scare tactics, or a Charlie Foxtrot, would only contribute to the problem. It seems like that has become the norm (charlie yada), and as engineering folk, we need to be more objective. :-) Let's make sure we put this into the proper perspective and not contribute to the hype. Does that sound fair? (This is merely a general statement/question and not directed to Valdis.) Cheers, - fergie Valdis wrote: A quick heads up, if anybody hasn't heard: At 1900GMT today, ET phones home, and picks up the next payload of instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, put in a password grabber, and then installed a mail proxy for spammer use. This one *may* just play the theme song from Bozo the Clown and erase itself, but I severely doubt it's gonna be that nice. http://www.f-secure.com/news/items/news_2003082200.shtml
Re: Brace yourselves.. W32/Sobig-F about to mutate...
On Fri, 22 Aug 2003 18:41:02 -, Fergie said: Thanks for the heads-up, which is (in my opinion) the appropriate response -- anything resembling panic, scare tactics, or a Charlie Foxtrot, would only contribute to the problem. I just mentioned it so we'd all know, in case the next part does something network-unfriendly a la Nachi. No need to panic, just everybody keep an eye open starting in (ummm) 14 mins or so. ;) /Valdis (who wishes all malware came with such a firm ship date. Hell, my *vendors* won't commit to such a firm ship date... ;) pgp0.pgp Description: PGP signature
Re: Brace yourselves.. W32/Sobig-F about to mutate...
The [EMAIL PROTECTED] address may fool them, but I would be very suspicious of a Microsoft patch that was only 9.6KB :) Parts/Attachments: 1 Shown 3 lines Text 2 9.6 KB Application 3 Shown 0 lines Text Adam Maloney Systems Administrator Sihope Communications