|
Anti-virus software,
and the means used to distribute it, simply cannot combat a new
rapidly replicating virus or worm, according to Matthew Williamson,
a researcher with computer giant Hewlett-Packard.
"These fast viruses are what we
are getting at the moment," he told New Scientist, referring
to the Slammer, MSBlaster, and SoBig viruses that this year infected
tens of thousands of machines within hours of being launched.
The next generation of fast viruses
would be even faster, New
Scientist said.
One called Flash
Worm could infect an entire PC network within 15 seconds,
while another called the Warhol
Worm could spread worldwide within just 15 minutes.
Heart
of Darkness, on a Desktop
SPAM BLOCKERS HIT
BY DENIAL OF SERVICE
Sobig
May Be
Working for Spammers
Sobig.F was easily the most
frequently occurring worm in August, 2003, accounting for 37.6%
of interceptions while Blaster-A came in at 18.8%.
Internet 2
July 28, 2003 - BroadSoft Inc., announced the launch of a disaster
recovery initiative to ensure business continuity and survivability
using IP networks in an event that the circuit-switched public network
goes down. more
Internet 2 members include 202 universities, key corporate
sponsors and international groups. FULL
LIST (PDF) Global
Terabit Research Network
Sobig:
Spam, Virus, or Both?
Virus writer likely used spamming techniques to spread the worm
quickly.
Ron Guilmette, who operates a free block list at Monkeys.com, said
the attack on his site began the same day that sobig.f started to
make the rounds. He may have to shut down his blocklist of unsecured
proxy servers
90% of all spam received by Internet users in North America
and Europe is sent by a hard-core group of under 200 spam outfits,
almost all of whom are listed in the ROKSO
database.
At least 45% of the open proxy computers passing on spam
are also infected by a virus. "We suddenly see a burst of viruses
coming out of a machine and then, maybe a few days afterwards, lots
of spam, when we haven't seen spam from that machine before." New
Scientist
China
takes action against spam
With Europe set to implement Opt-in legislation by October, the
United States is going in the opposite direction to Europe and is
now set to explode the spam problem far worse than it is today,
incredibly by actually legalizing Unsolicited Bulk Email instead
of banning it. Already, 90% of l spam hitting Europe is being sent
by American (mostly Florida-based) spammers.spamhaus.org
Some of the world's largest Internet service providers, in an attempt
to prevent widespread infection of their customers' computers, are
planning
to scan all e-mail attachments for computer viruses before they
reach subscribers. Comprehensive scanning could cost ISPs millions
of dollars, but after a month of snarled e-mail and Internet traffic,
courtesy of the Sobig and Blaster worms, customers are beginning
to expect it as a basic feature, industry experts said.
Worldcom executives John St Clair, Mike Whitman, and Worldcom's
VP and General Counsel Clint Smith held a meeting in which they
decided that Worldcom would not ban the hosting of stealth spam
services and would instead provide spammers with a safe haven. spamhaus.org
Spam viruses, worms and worse
We're already in the opening stages of a war. This stealthy
war looks to be a long one because, so far, it appears we're losing.
The Internet just isn't yet capable of recognizing and defending
against these and other modes of subversion in real time, and it
likely won't be for quite some time, due to it's simple protocols
and distributed structure. The
Inquirer
To
Trap a Superworm The Slammer worm's ability to spread so rapidly
adds a frightfully new dimension to the species. Does Stuart Staniford
have the cure?
Microsoft Windows:
Insecure
by design
Windows XP on the Internet amounts to a car parked in a bad part of
town, with the doors unlocked, the key in the ignition and a Post-It
note saying, "Please don’t steal this."
Slammer
worm crashed Ohio nuke plant network
MICROSOFT
ON GUARD
Microsoft continues to investigate another DoS attack that downed
its main site for two hours Thursday evening. That attack apparently
had nothing to do with the Blaster worm.
The attack directed at microsoft.com occurred Thursday evening at
8:45 p.m. Pacific Daylight Time. Thursday's attack and an August 1 attack
against Microsoft.com were denial of service attacks, Microsoft
does not believe the two were linked.
"The attackers probably have a very large network of compromised
"zombie" machines that are being coordinated to attack Microsoft," said
Sean Sundwall, a Microsoft spokesperson.
With two successful
attacks in one week, Microsoft is looking into software and other
technology to prevent future threats, Sundwall adds. Pcworld.com
Microsoft made drastic changes in their internet setup on Friday.
First of all, they moved most of their main web servers under heavy
web clusters operated by the mirroring company Akamai.
As to windowsupdate.com, they just surrendered. Microsoft
simply disconnected this server from the web and removed it's name
from domain name systems. It will probably never return.
As a result, the worm can't
find a target address for the attack - and won't attack.
Basically, Microsoft sacrificed their server to save the rest
of the net. Now there will be no floods of packets to overflow
routers and switches at ISPs around the world. Of course, this was
an easy decision for Microsoft, as windowsupdate.com was not used
much. The official address for Microsoft's Windows Update Service
is windowsupdate.microsoft.com. This is also the address accessed
by default by Windows 98, ME, 2000, XP and 2003. Most likely this
was the address the virus writer tried to attack, but she made a
slight mistake in the address (which used to be redirected to the
same update service). f-secure.com
Government and industry security
experts raced against the clock Friday to take offline 19 of the
20 home computers, thwarting an attack before the 12 noon deadline,
said Mikko Hypponen, anti-virus research manager at F-Secure of
Finland.
The computers were located
in the United States, Canada and South Korea, he said. The remaining
master computer, which was in the United States, was taken down
shortly after the deadline, experts said. cnn.com
THE
SOBIG
UPDATER
http://www.f-secure.com/
The expected Internet activation of the Sobig.F worm has been prevented.
The activation was prevented through a 24-hour race against the clock
by various organizations around the world. FBI and Microsoft were
able to locate and disconnect or shut down most of the master servers
necessary for the activation to be successful.
techrepublic.com
F-Secure reports its analysis of the code provides some server addresses
that don't lead to anything right now, and speculates that the server
addresses will be forwarded to some other address just seconds before
the Trojan activates in order to prevent antivirus analysts from
reading the program and working out countermeasures in advance.
F-Secure is also providing some additional
details, such as the fact that SoBigF appears to have infected
nearly 100 million systems in just over four days. For now,
it isn't known whether the Trojan will try to co-opt other systems
already compromised by SoBig.F or will launch some entirely different
sort of attack.
...This is a highly sophisticated
attack, even using atomic clocks to synchronize the activation
of the Trojan...
http://www.f-secure.com
All the infected computers are entering a second phase today, on
Friday the 22nd of August, 2003. These computers are using atom
clocks to synchronize the activation to start exactly at the same
time around the world: at 19:00:00 UTC.
On this moment, the worm starts to
connect to machines found from an encrypted list hidden in the virus
body.
The worm connects to one of these
20 servers and authenticates itself with a secret 8-byte code.
The servers respond with a web address. Infected machines download
a program from this address – and run it. At this moment it
is completely unknown what this mystery program will do.
F-Secure has been able to break into
this system and crack the encryption, but currently the web address
sent by the servers doesn’t go anywhere. “The developers
of the virus know that we could download the program beforehand,
analyse it and come up with countermeasures”, says Hypponen.
“So apparently their plan is to change the web address
to point to the correct address or addresses just seconds before
the deadline. By the time we get a copy of the file, the infected
computers have already downloaded and run it”.
With Sobig.E, the worm downloaded
a program which removed the virus itself (to hide its tracks), and
then started to steal users network and web passwords. After
this the worm installed a hidden email proxy, which has been used
by various spammers to send their bulk commercial emails through
these machines without the owners of the computers knowing anything
about it.
The advanced techniques used by
the worm make it quite obvious it’s not written by a typical
teenage virus writer. The fact that previous Sobig variants
we’re used by spammers on a large scale adds an element of
financial gain. Who’s behind all this? “Looks like organized
crime to me”, comments Mikko Hypponen.
|
|
...CLICK
FOR MORE
...TOP NEWS STORIES
SOBIG
NEWS
Next
SoBig worm may trigger torrent of spam
Central Command Warns of New Sobig Attack http://thewhir.com/
August 22, 2003 -- Central
Command (centralcommand.com), a provider of anti-virus software
and services, cautioned users today of the next possible Sobig
cyber attack on or about September 11, 2003.
"It [Sobig.F] is very well
planned, very well designed and very well executed," said
Mikko Hypponen, director of antivirus research for security company
F-Secure of Finland.
"The guy obviously knows how to use proxy servers (to achieve anonymity).
To think you can track him down using an IP
(Internet protocol) address down is pretty far-fetched." said Joe
Stewart, senior security researcher for network-protection company
Lurhq.
"The person is really trying to make sure that he isn't going
to get tracked down."
"Open proxies, stolen credit cards--it's not going to be easy."
said Joe Hartmann, North American director for antivirus research
at security-software company Trend Micro. businessweek.com
http://sfgate.com
Originally, SoBig appeared to be nothing more than an unusually
effective version of a common online bug: the mass mailer, which
annoys people by flooding e-mail boxes worldwide with copies of
itself, but which does no real damage to hardware. Now that the
SoBig worm turns out to be more complex, some experts believe its
creator is much more sophisticated than the youths who release garden-variety
worms on a daily basis.
"Looks like organized crime
to me," said Mikko Hypponen, F-Secure's director of antivirus research,
in a prepared release.
http://lists.netsys.com
After reviewing the actual firewall logs I find my initial report
was not entirely correct. There were two variants, not three,
and the second variant contacted a list of 5 hosts, none of which
were on the "big" list of 20 hosts.
The second list of five addresses
(all seem to be on cable or dsl networks) is given below.
This page shows status of those
ips:
http://207.195.54.37/sobig.html
SOBIG
ON
SLASHDOT
MAIN
SLASHDOT THREAD
http://slashdot.org/
I dont think even most of the posters really get the GRAVE SERIOUSNESS
of the current situation.
Because of unexistant security
in most widespread OS used on computers, general cluelessness of
its users and poor design of the Internet protocols themselves,
we have a situation where very large percentage of hosts on Internet,
essentially THE Internet, could be TOTALLY CONTROLLED by one person,
and nothing to be done about it.
Im saying it again, and Im not a alarmist type of person - but these
could be the LAST DAYS OF INTERNET as we know it.
http://slashdot.org/
What you're missing is that [Sobig] F expires on September 10th,
2003.
Which means G, the one with
the yet more freakin' evil payload, is probably set to go live...
ooh, sometime around the 11th... uh-oh.
Expiring the worm is deliberate,
so that different versions of the worm don't interfere with each
other much.
We got lucky, or maybe not:
the author realised what was happening, reads the right lists (or
spies on them, heh), and decided that he'd rather leave it to the
backup payload - the update url was simply a random porn site, one
of the decoys, rather than a compromised webpage containing the
latest version of his second-stage rootkit/trojan/proxy, Lala.
http://slashdot.org/
If anyone is intersted, here's a [Sobig] "release history" :-P
LOVSAN
BLAST
Worse
Windows worms to come, warn experts Despite infecting
tens of thousands of computers worldwide, the W32.Blaster worm is
poorly written and inefficient, according to security experts. However,
they warned that future versions of the worm could cause far greater
harm.
http://www.f-secure.com
Starting from 16th of August machines infected with Lovsan will
send massive amount of packets to windowsupdate.com. 40 byte packets
are sent in 20 millisecond intervals to port 80. This will perform
a Distributed Denial-of-Service attack on that website.
http://www.f-secure.com
http://www.f-secure.com
Welchi only infects Windows XP machines through the RPC hole and
both Windows 2000 and XP machine through the WebDAV hole.
It also tries to disinfect
Lovsan.A from the machine and apply the Microsoft patch to close
the RPC hole. So, Welchi is an anti-virus-virus.
MORE
SOBIG
ON SLASHDOT
http://www.politrix.org/
All the world is a playground for the author(s) of the Sobig virus.
This isn't the first time nor the last time we will hear of this
pesky little virus, in fact the author is probably tweaking the
virus for the next onslaught.
For startes let's look at what a Polymorphic virus is. "Polymorphic
Viruses: Some viruses take special measures to make their detection
and analysis more difficult. E.g. they do not have signatures, i.e.
do not have any constant section of code. In the majority of cases
two strains of the same "polymorphic"-virus will not have a single
coinciding element.
http://slashdot.org/
I'm wondering how long 'til such viruses use content-anonymizer
networks like freenet to download malicious code (20 hardcoded
IP addresses is hardly effective)
Another Probe
http://slashdot.org/
Just imagine *WHEN* the worms are coded to do lookups on ARIN so
that everything in a select region/ industry/ state/ country alone
gets nailed. WE NEED TO WAKE UP. These are probes. And we're
on the losing side of 'em.
We'll never know what the
hackers true intent was, however. It's suspicious that blaster
and the sobig virus were thrown out almost one right after the other.
It all may be a distraction. For all we know there could be another
virus lurking around infecting machines slowly, 1 by 1 until a doomsday
date at which they deliver their payload.
Re:Methods used to obfuscate
worm code by Anonymous Coward on Sunday August 24. http://slashdot.org/
Actually, the IP addresses were in the code. They were just encrypted/
encoded. The encryption wasn't the best, but because of the amount
of un-optimized code, it was difficult to get through the code.
There was just so much code to go through.
I work for an antivirus vendor,
and it took me a total of almost 5 hours to decrypt the IP addresses.
Once I figured out what the worm needed to decrypt the IP addresses,
I ran it in a debugger and changed the registers at the right locations.
Then I just ran the worm and got the IP addresses from a network
sniffer (if the first IP doesn't respond in X many seconds, the
worm tries the next one and so on).
Sorry for posting anon, but
I felt it was better for this post.
|
