Sobig.F Weekend Attack Thwarted; Feds Hunt Source

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Federal authorities successfully thwarted a second-wave
attack from the mass-mailing Sobig.F virus over the weekend by taking
down 18 computer servers that were being used to distribute a malicious
payload.

After identifying 20 compromised server IP addresses that were being used
to drop destructive code into infected machines, the FBI spent the weekend
shutting down 18 of the master servers, a move that effectively crippled the
spread of the virus.

However, security experts are warning that Sobig.F will continue to squirm through e-mail inboxes until September 10, when it is programmed to expire.

Separately, Arizona-based UseNet access provider Easynews.com has
confirmed receipt of a subpoena from the FBI for information regarding the
uploading of the virus on Monday, August 18.

“The FBI informed Easynews.com that an individual had used the
Easynews.com UseNet server to upload the SoBig.F virus on Monday, August
18th. The FBI was requesting any information relating to the account used to
upload the virus to the UseNet network,” the company said, confirming that
the virus was first uploaded to an adult UseNet group by one of its
users.

“It appears the account was created with a stolen credit card for the
sole purpose of uploading the virus to the UseNet network.” said Easynews
CTO Michael Minor.

Easynews has released
the UseNet headers from one of the binary posts that contained the virus.

Meanwhile, F-Secure, one of a slew of anti-virus firms tracking the spread of the virus, noted that Sobig.F will try to activate again at the same time on every following Friday and Sunday until September 10th. But, because the compromised servers have been disconnected, those attempts will fail.

“F-Secure has been attempting to connect to all the 20 machines from
three different sensors in three different countries to confirm that they
are down. So far, we’ve been unable to connect even once. If we can’t
connect, neither can the infected machines – and the activation won’t
succeed,” the company said.

There is the possibility that the worm can be re-programmed to update the
master list of IP addresses to strengthen a future attack, warns Ken Dunham,
a malicious code intelligence manager for iDefense Inc.

“It is believed that UDP ports 995-999 are opened on a SoBig infected
computer to enable the attacker to update the master list of IPs used in the
attack. If this is true, the attacker could reconfigure remaining SoBig
infected computers through UDP communications for a successful attack next
Sunday or on future attack dates,” Dunham said in a note issued on
Monday.

“If it is determined how the reconfiguring of IP addresses works, any other
malicious attacker could redirect infected hosts before September 10 to
download and run a binary of his choosing,” Dunham added.

To avoid the heavy carpet
bombing experienced last week, Dunham has recommended that outbound UDP
8998 activity be blocked to block SoBig.F communications with remote servers
hard coded into the code of the worm used for updating itself/installing new
code.

He also urged that UDP ports 995-999 be blocked to help prevent against a
possible master IP list update by a malicious actor.