Sobig.f surprise attack today
F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC. http://www.f-secure.com/news/items/news_2003082200.shtml Jim -- See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __________________________________________________________________ Jim Dawson jdawson@flexpop.net Flexpop/Navi.Net http://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Jim Dawson | Sent: Friday, August 22, 2003 2:02 PM | Subject: Sobig.f surprise attack today | | F-Secure Corporation is warning about a new level of attack to be | unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC. | | http://www.f-secure.com/news/items/news_2003082200.shtml See the following message sent out by X-Force a few hours ago. Todd ------------------------------------------------------------------------ -- Computers infected with the Sobig.F worm are programmed to automatically download an executable of unknown function from a hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is recommending wholesale outbound filtering of the following IP addresses: 67.73.21.6 68.38.159.161 67.9.241.67 66.131.207.81 65.177.240.194 65.93.81.59 65.95.193.138 65.92.186.145 63.250.82.87 65.92.80.218 61.38.187.59 24.210.182.156 24.202.91.43 24.206.75.137 24.197.143.132 12.158.102.205 24.33.66.38 218.147.164.29 12.232.104.221 68.50.208.96 The request method uses UDP port 8998. X-Force also recommends that this port be filtered outbound.
If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
Where does one get hold of "The List" to know if your on it. I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding "the list" of master servers. -R
-----Original Message----- Behalf Of Omachonu Ogali Sent: August 22, 2003 2:46 PM
If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
Randy Neals (ORION) wrote:
Where does one get hold of "The List" to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding "the list" of master servers.
Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page: http://207.195.54.37/sobig.html (Updates about every 5 mins)
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it "phones home". -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Jay Hennigan wrote:
On Fri, 22 Aug 2003, Andrew Kerr wrote:
Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
You're probing the list of NTP servers the worm uses to get the date, not the list of hosts to which it "phones home".
A few people pointed that out. By the time this message hits the list, it should be corrected.
http://xforce.iss.net/xforce/alerts/id/151 -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Randy Neals (ORION) Sent: Friday, August 22, 2003 2:54 PM To: 'Omachonu Ogali'; 'Todd Mitchell - lists' Cc: nanog@merit.edu Subject: RE: Sobig.f surprise attack today Where does one get hold of "The List" to know if your on it. I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding "the list" of master servers. -R
-----Original Message----- Behalf Of Omachonu Ogali Sent: August 22, 2003 2:46 PM
If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
hmm seeing about 1% traffic to those ips, curiously none on that port number tho not too exciting, did someone say weekend? .... On Fri, 22 Aug 2003, Gary Attard wrote:
http://xforce.iss.net/xforce/alerts/id/151
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Randy Neals (ORION) Sent: Friday, August 22, 2003 2:54 PM To: 'Omachonu Ogali'; 'Todd Mitchell - lists' Cc: nanog@merit.edu Subject: RE: Sobig.f surprise attack today
Where does one get hold of "The List" to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus companies but they all seem to be witholding "the list" of master servers.
-R
-----Original Message----- Behalf Of Omachonu Ogali Sent: August 22, 2003 2:46 PM
If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
Omachonu Ogali wrote:
If you're responsible for any of the IPs on the list, better permanently remove them from your DHCP pools, IP assignments, dial-up pools, or anything else that assigns IP addresses, because these will be filtered and forgotten for the next 200 years.
If the virus guys get smarter they´ll put in /24´s or /16´s next time. Just scan through the block with magic cookie until you get the reply you´re looking for and start downloading the update. Anyone willing to block the whole /16 of their dialup or dsl users if it shows up on an AV vendor´s list? Pete
I wish all surprise attacks came at preannounced times from known locations. Matthew Kaufman
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Let's use the virus against itself. At this point, I think that's a legitimate countermeasure. Owen --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson@navi.net> wrote:
F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC.
http://www.f-secure.com/news/items/news_2003082200.shtml
Jim --
See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __________________________________________________________________ Jim Dawson jdawson@flexpop.net Flexpop/Navi.Net http://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Fri, 22 Aug 2003, Owen DeLong wrote:
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At this point, I think that's a legitimate countermeasure.
Start coding, you've got twelve minutes. -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
participants (11)
-
Andrew Kerr -
Gary Attard -
Jay Hennigan -
Jim Dawson -
Matthew Kaufman -
Omachonu Ogali -
Owen DeLong -
Petri Helenius -
Randy Neals (ORION) -
Stephen J. Wilcox -
Todd Mitchell - lists