Re: Sobig.f surprise attack today
Again, I am not proposing a worm. Simply a cleaner that would neuter the worm that connected. What I am proposing would _ONLY_ provide software that, if the connecting client chose to execute it, would neuter the worm on the connecting client that executed it. Nothing that would worm to other computers from there. That's high risk. Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish. Again, I don't propose or advocate actively tampering with other peoples systems. However, if someone comes to my website and asks for executable code, then executes it, I do not feel that it is my responsibility to provide them code which will not alter the contents of their system. I also don't feel it is my responsibility to determine if their request came from a human authorized to use the computer or a worm. Owen --On Friday, August 22, 2003 4:54 PM -0700 Doug Barton [EMAIL PROTECTED] wrote: On Fri, 22 Aug 2003, Owen DeLong wrote: Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation. I seriously doubt that most (any?) ISP would be willing to accept the legal liability for altering anything on the computer of a third party that just happened to connect to an IP in a netblock they are responsible for. White worms are an elegant engineering concept, but have little practical value (and huge risk) outside of networks that you control directly. Doug -- You're walkin' the wire, pain and desire. Looking for love in between. - The Eagles, Victim of Love
Re: Sobig.f surprise attack today
On Thu, 28 Aug 2003, Owen DeLong wrote: Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish. an infected host dnsrbl doesnt sound like a bad idea... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Sobig.f surprise attack today
At 12:54 PM 28/08/2003 -0700, Dan Hollis wrote: Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish. an infected host dnsrbl doesnt sound like a bad idea... I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way. ---Mike
Re: Sobig.f surprise attack today
Mike Tancsa wrote: I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way. This is an artifact of ISP´s wanting to have static IP´s as an add-on premium service so they provide short lease times and change IP as often as it´s feasible without interrupting service unneccessarily. Pete
Re: Sobig.f surprise attack today
At 11:14 PM 28/08/2003 +0300, Petri Helenius wrote: Mike Tancsa wrote: I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way. This is an artifact of ISP´s wanting to have static IP´s as an add-on premium service so they provide short lease times and change IP as often as it´s feasible without interrupting service unneccessarily. Huh ? This is an artifact of the way PM3s and MAX 6096s work with respect to how IP addresses are assigned out of pools i.e. this is the default behaviour. The same goes for our DSL pool. ---Mike
Re: Sobig.f surprise attack today
Thus spake Petri Helenius ([EMAIL PROTECTED]) [28/08/03 16:23]: I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way. This is an artifact of ISP?s wanting to have static IP?s as an add-on premium service so they provide short lease times and change IP as often as it?s feasible without interrupting service unneccessarily. Or potentially an artifact of wanting more IP space from ARIN, as opposed to assigning a static IP to every user we have, even the ones that are only connected for about an hour a month. But hey, that's just a minor detail.
Re: Sobig.f surprise attack today
On Thursday 28 August 2003 04:24 pm, Mike Tancsa wrote: At 11:14 PM 28/08/2003 +0300, Petri Helenius wrote: Mike Tancsa wrote: I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way. This is an artifact of ISP´s wanting to have static IP´s as an add-on premium service so they provide short lease times and change IP as often as it´s feasible without interrupting service unneccessarily. Huh ? This is an artifact of the way PM3s and MAX 6096s work with respect to how IP addresses are assigned out of pools i.e. this is the default behaviour. The same goes for our DSL pool. ---Mike It isn't about wanting to charge more for a static ip per sea, it is more about efficient use of address space. If I have 10K dialup customers, if I go to arin and ask for a /18 so each one of my dialup customers can have a static ip, what do you think the response is going to be? -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key fingerprint = 8F70 6306 F0A7 B8DA BA95 76C4 606A 7DC1 370D 752C One picture is worth 128K words.
Re: Sobig.f surprise attack today
Damian Gerow wrote: Or potentially an artifact of wanting more IP space from ARIN, as opposed to assigning a static IP to every user we have, even the ones that are only connected for about an hour a month. But hey, that's just a minor detail. Sorry for momentarily phasing to our local la-la-land where the address space used by always-on connections has passed the dialup ones a few years ago. Dialup users also cannot generate any significant DDoS traffic even if combined by a factor of 1. Pete
Re: Sobig.f surprise attack today
At 11:47 PM 28/08/2003 +0300, Petri Helenius wrote: connections has passed the dialup ones a few years ago. Dialup users also cannot generate any significant DDoS traffic even if combined by a factor of 1. a)http://www.acm.org/sigcomm/sigcomm2003/papers.html#p75-kuzmanovic b)Trinity v3/Stacheldraht can do wonders against the CPU of many cisco routers c)'dialup' and the way IPs are handed out are often the same for DSL users who connect on demand. d)See the recent thread on rebooting TNTs and 5300s ---Mike
Sobig.f surprise attack today
F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC. http://www.f-secure.com/news/items/news_2003082200.shtml Jim -- See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __ Jim Dawson [EMAIL PROTECTED] Flexpop/Navi.Nethttp://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~
RE: Sobig.f surprise attack today
| Jim Dawson | Sent: Friday, August 22, 2003 2:02 PM | Subject: Sobig.f surprise attack today | | F-Secure Corporation is warning about a new level of attack to be | unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC. | | http://www.f-secure.com/news/items/news_2003082200.shtml See the following message sent out by X-Force a few hours ago. Todd -- Computers infected with the Sobig.F worm are programmed to automatically download an executable of unknown function from a hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is recommending wholesale outbound filtering of the following IP addresses: 67.73.21.6 68.38.159.161 67.9.241.67 66.131.207.81 65.177.240.194 65.93.81.59 65.95.193.138 65.92.186.145 63.250.82.87 65.92.80.218 61.38.187.59 24.210.182.156 24.202.91.43 24.206.75.137 24.197.143.132 12.158.102.205 24.33.66.38 218.147.164.29 12.232.104.221 68.50.208.96 The request method uses UDP port 8998. X-Force also recommends that this port be filtered outbound.
Re: Sobig.f surprise attack today
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Let's use the virus against itself. At this point, I think that's a legitimate countermeasure. Owen --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson [EMAIL PROTECTED] wrote: F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC. http://www.f-secure.com/news/items/news_2003082200.shtml Jim -- See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __ Jim Dawson [EMAIL PROTECTED] Flexpop/Navi.Nethttp://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~
RE: Sobig.f surprise attack today
I wish all surprise attacks came at preannounced times from known locations. Matthew Kaufman
Re: Sobig.f surprise attack today
If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
RE: Sobig.f surprise attack today
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines,wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Only if we make assumptions that what they state is 100% fact and the whole truth of the matter. They know of 20 but, who is to say a variant in the wild doesn't know of 20 more ? Or 100 more ? Too late anyway. My other list subscriptions show it active now ... ~S~ Disclaimer: my own 2 cents. Learn more about Paymentech's payment processing services at www.paymentech.com THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.
Re: Sobig.f surprise attack today
On Fri, 22 Aug 2003, Owen DeLong wrote: OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Let's use the virus against itself. At this point, I think that's a legitimate countermeasure. Start coding, you've got twelve minutes. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
RE: Sobig.f surprise attack today
Where does one get hold of The List to know if your on it. I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding the list of master servers. -R -Original Message- Behalf Of Omachonu Ogali Sent: August 22, 2003 2:46 PM If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
RE: Sobig.f surprise attack today
FYI: At 1500 GMT, Mikko Hypponen, director of anti-virus research at F-Secure, told New Scientist that 18 of the 20 internet addresses his company had identified in the virus had been blocked. But if even one machine remains online at the deadline, anything could happen, he warned. Hypponen said F-secure had notified the FBI and internet service providers who run the addresses listed in the worm and said some of the companies have agreed to temporarily block access to those machines. The target machines are based in Canada, USA and South Korea. Unreachable address At 1750 GMT, New Scientist ascertained that all but one of the 20 addresses were inaccessible. The 19 unreachable addresses may have been blocked, or could always have been protected by a firewall. The last open address is in Toronto, and is provided by the internet service provider Sympatico. Its spokesperson told New Scientist: We are aware of the virus and are working with local law enforcement to identify the person behind the virus. A possible reason for deliberately leaving an address open might be to act as a honey pot - an address controlled by the authorities to observe the worm in action. However, the latest analysis of SoBig.F has revealed that even if this attempt to block access to the 20 addresses is successful, more action may be needed. Infected machines are programmed to check twice a week at the same time for new list of servers to contact. This new list could be delivered via a new virus. The existing list of 20 appears to list Windows PCs belonging to home users and connected to the internet via always-on, ADSL broadband connections, says Hypponen. It is most likely that the party behind SoBig.F has broken into these computers and they are now being misused to be part of this attack. The worm's previous variant, SoBig.E, downloaded a program that removed the virus itself to cover its tracks, and then tried to steal the user's network and web passwords. But the machines infected with SoBig.F will try to connect to port 8998 on one of the hijacked machines. They will transmit a secret 8-byte code, which will cause the hijacked machines to return a web link to a site from which the malicious code can be downloaded. Attempts to discover this target link have so far been foiled, as the worm's writer used a bogus URL. Experts believe that this link would be changed to the real one a few seconds before the deadline, too late for companies to block. David Cohen
Re: Sobig.f surprise attack today
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines,wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Only if we make assumptions that what they state is 100% fact and the whole truth of the matter. They know of 20 but, who is to say a variant in the wild doesn't know of 20 more ? Or 100 more ? Too late anyway. My other list subscriptions show it active now ... symantec sez that it listens for properly-signed announcements about new and improved servers from which to receive said payload. so it can change the source list at any time. s.
RE: Sobig.f surprise attack today
http://xforce.iss.net/xforce/alerts/id/151 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Randy Neals (ORION) Sent: Friday, August 22, 2003 2:54 PM To: 'Omachonu Ogali'; 'Todd Mitchell - lists' Cc: [EMAIL PROTECTED] Subject: RE: Sobig.f surprise attack today Where does one get hold of The List to know if your on it. I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding the list of master servers. -R -Original Message- Behalf Of Omachonu Ogali Sent: August 22, 2003 2:46 PM If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
Re: Sobig.f surprise attack today
Randy Neals (ORION) wrote: Where does one get hold of The List to know if your on it. I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding the list of master servers. Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins)
RE: Sobig.f surprise attack today
hmm seeing about 1% traffic to those ips, curiously none on that port number tho not too exciting, did someone say weekend? On Fri, 22 Aug 2003, Gary Attard wrote: http://xforce.iss.net/xforce/alerts/id/151 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Randy Neals (ORION) Sent: Friday, August 22, 2003 2:54 PM To: 'Omachonu Ogali'; 'Todd Mitchell - lists' Cc: [EMAIL PROTECTED] Subject: RE: Sobig.f surprise attack today Where does one get hold of The List to know if your on it. I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding the list of master servers. -R -Original Message- Behalf Of Omachonu Ogali Sent: August 22, 2003 2:46 PM If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
Re: Sobig.f surprise attack today
On Fri, 22 Aug 2003, Andrew Kerr wrote: Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins) You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it phones home. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Sobig.f surprise attack today
Jay Hennigan wrote: On Fri, 22 Aug 2003, Andrew Kerr wrote: Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins) You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it phones home. A few people pointed that out. By the time this message hits the list, it should be corrected.
RE: Sobig.f surprise attack today
From http://www.f-secure.com/v-descs/sobig_f.shtml - Update on 19:00 UTC When deadline for the attack was passed, one machine was still (somewhat) up. However, immediatly after the deadline, this machine (located in the USA) was totally swamped under network traffic. We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses. So the attack failed. Whoa. We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented. -Original Message- From: Andrew Kerr [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 3:43 PM To: Jay Hennigan Cc: [EMAIL PROTECTED] Subject: Re: Sobig.f surprise attack today Jay Hennigan wrote: On Fri, 22 Aug 2003, Andrew Kerr wrote: Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins) You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it phones home. A few people pointed that out. By the time this message hits the list, it should be corrected.
Re: Sobig.f surprise attack today
OK.. Seems to me that under the circumstances, since they're willing to disconnect that host from the internet (any rational ISP would be), that replacing it with a /32 route to a honeypot created by the ISP would not be that difficult. Sure, it's unlikely that 100% of the ISPs could do it in the time required, but, even if you gust got the top 3 or so on the worm's hit list, it would have a significant impact. If you got 10, then the surprise would be no more than 50% effective. Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation. Owen --On Friday, August 22, 2003 1:39 PM -0500 Beprojects.com [EMAIL PROTECTED] wrote: So who's going to do that? There are 20 machines on 20 different networks covering the US, Canada and parts of Asia (from what I've read). Each network would have to contact the individual user and ask permission to put a honeypot on their IP and that's not going to happen in the next 30 minutes. - Original Message - From: Owen DeLong [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, August 22, 2003 1:27 PM Subject: Re: Sobig.f surprise attack today OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Let's use the virus against itself. At this point, I think that's a legitimate countermeasure. Owen --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson [EMAIL PROTECTED] wrote: F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC. http://www.f-secure.com/news/items/news_2003082200.shtml Jim -- See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __ Jim Dawson [EMAIL PROTECTED] Flexpop/Navi.Nethttp://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~
RE: Sobig.f surprise attack today
My questions is what were those servers.. Was the purpose to denial of service attack them? If so we just assisted that.. :) mark -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband -Original Message- From: netadm [mailto:[EMAIL PROTECTED] Sent: August 22, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: RE: Sobig.f surprise attack today From http://www.f-secure.com/v-descs/sobig_f.shtml - Update on 19:00 UTC When deadline for the attack was passed, one machine was still (somewhat) up. However, immediatly after the deadline, this machine (located in the USA) was totally swamped under network traffic. We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses. So the attack failed. Whoa. We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented. -Original Message- From: Andrew Kerr [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 3:43 PM To: Jay Hennigan Cc: [EMAIL PROTECTED] Subject: Re: Sobig.f surprise attack today Jay Hennigan wrote: On Fri, 22 Aug 2003, Andrew Kerr wrote: Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins) You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it phones home. A few people pointed that out. By the time this message hits the list, it should be corrected.
RE: Sobig.f surprise attack today
I don't think the purpose was to DoS them. It looks like some of them were hosts on Comcast's cable network, probably some user machines being used to host the second part of the payload. I just want to know what the second part of this thing does. It's better than watching TV. :) -Original Message- From: Mark Segal [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 4:05 PM To: 'netadm'; '[EMAIL PROTECTED]' Subject: RE: Sobig.f surprise attack today My questions is what were those servers.. Was the purpose to denial of service attack them? If so we just assisted that.. :) mark -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband -Original Message- From: netadm [mailto:[EMAIL PROTECTED] Sent: August 22, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: RE: Sobig.f surprise attack today From http://www.f-secure.com/v-descs/sobig_f.shtml - Update on 19:00 UTC When deadline for the attack was passed, one machine was still (somewhat) up. However, immediatly after the deadline, this machine (located in the USA) was totally swamped under network traffic. We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses. So the attack failed. Whoa. We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented. -Original Message- From: Andrew Kerr [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 3:43 PM To: Jay Hennigan Cc: [EMAIL PROTECTED] Subject: Re: Sobig.f surprise attack today Jay Hennigan wrote: On Fri, 22 Aug 2003, Andrew Kerr wrote: Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins) You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it phones home. A few people pointed that out. By the time this message hits the list, it should be corrected.
Re: Sobig.f surprise attack today
Omachonu Ogali wrote: If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years. If the virus guys get smarter they´ll put in /24´s or /16´s next time. Just scan through the block with magic cookie until you get the reply you´re looking for and start downloading the update. Anyone willing to block the whole /16 of their dialup or dsl users if it shows up on an AV vendor´s list? Pete
RE: Sobig.f surprise attack today
On Fri, 22 Aug 2003 14:13:27 -0400, Todd Mitchell - lists wrote: See the following message sent out by X-Force a few hours ago.Todd Computers infected with the Sobig.F worm are programmed to automatically download an executable of unknown function from a hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is recommending wholesale outbound filtering of the following IP addresses: 67.73.21.6 68.38.159.161 67.9.241.67 66.131.207.81 65.177.240.194 65.93.81.59 65.95.193.138 65.92.186.145 63.250.82.87 65.92.80.218 61.38.187.59 24.210.182.156 24.202.91.43 24.206.75.137 24.197.143.132 12.158.102.205 24.33.66.38 218.147.164.29 12.232.104.221 68.50.208.96 Roadrunner Comcast II Sprint I Dacom I Earthlink I Le Groupe Videotron II Bell Canada I Net 66 II Charter I ATT WorldnetII
Re: Sobig.f surprise attack today
On Fri, 22 Aug 2003, Owen DeLong wrote: Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation. I seriously doubt that most (any?) ISP would be willing to accept the legal liability for altering anything on the computer of a third party that just happened to connect to an IP in a netblock they are responsible for. White worms are an elegant engineering concept, but have little practical value (and huge risk) outside of networks that you control directly. Doug -- You're walkin' the wire, pain and desire. Looking for love in between. - The Eagles, Victim of Love
