F-Secure Corporation is warning about a new level of attack to be
unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC.
http://www.f-secure.com/news/items/news_2003082200.shtml
Jim
Jim Dawson
Sent: Friday, August 22, 2003 2:02 PM
Subject: Sobig.f surprise attack todayF-Secure Corporation is warning about a new level of attack to be
unleashed by the Sobig.F worm today. Supposed to take place at 1900
UTC.
See the following message sent out by X-Force a few hours ago.
Todd
I wish all surprise attacks came at preannounced times from known locations.
Matthew Kaufman
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines,
wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At this point, I think that's a legitimate
countermeasure.
Owen
If you're responsible for any of the IPs on the list, better
permanently remove them from your DHCP pools, IP assignments,
dial-up pools, or anything else that assigns IP addresses,
because these will be filtered and forgotten for the next
200 years.
Start coding, you've got twelve minutes.
Where does one get hold of "The List" to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus
companies but they all seem to be witholding "the list" of master
servers.
-R
Randy Neals (ORION) wrote:
Where does one get hold of "The List" to know if your on it.
I've read many of the briefing/press releases put out by the anti-virus
companies but they all seem to be witholding "the list" of master
servers.
Its been posted here, and f-secure has it, but I wrote a quick script to keep an eye on the 20 servers and dump the output to a simple page:
http://207.195.54.37/sobig.html
(Updates about every 5 mins)
hmm seeing about 1% traffic to those ips, curiously none on that port number tho
not too exciting, did someone say weekend? ....
You're probing the list of NTP servers the worm uses to get the date, not
the list of hosts to which it "phones home".
Jay Hennigan wrote:
OK.. Seems to me that under the circumstances, since they're willing to
disconnect that host from the internet (any rational ISP would be), that
replacing it with a /32 route to a honeypot created by the ISP
would not be that difficult. Sure, it's unlikely that 100% of the ISPs
could do it in the time required, but, even if you gust got the top 3
or so on the worm's hit list, it would have a significant impact.
If you got 10, then the surprise would be no more than 50% effective.
Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.
Owen
Omachonu Ogali wrote:
If you're responsible for any of the IPs on the list, better
permanently remove them from your DHCP pools, IP assignments,
dial-up pools, or anything else that assigns IP addresses,
because these will be filtered and forgotten for the next
200 years.
If the virus guys get smarter they�ll put in /24�s or /16�s next time. Just scan through
the block with magic cookie until you get the reply you�re looking for and start
downloading the update.
Anyone willing to block the whole /16 of their dialup or dsl users if it shows up on
an AV vendor�s list?
Pete
I seriously doubt that most (any?) ISP would be willing to accept the
legal liability for altering anything on the computer of a third party
that just happened to connect to an IP in a netblock they are
responsible for. White worms are an elegant engineering concept, but
have little practical value (and huge risk) outside of networks that you
control directly.
Doug
Again, I am not proposing a worm. Simply a cleaner that would neuter the
worm that connected. What I am proposing would _ONLY_ provide software that,
if the connecting client chose to execute it, would neuter the worm on the
connecting client that executed it. Nothing that would worm to other
computers from there. That's high risk.
Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist
based on such connections to a honeypot. Any system which made the correct
request could then have it's address published via BGP or DNS for ISPs and
the like to do as they wish.
Again, I don't propose or advocate actively tampering with other peoples
systems. However, if someone comes to my website and asks for executable
code, then executes it, I do not feel that it is my responsibility to
provide them code which will not alter the contents of their system.
I also don't feel it is my responsibility to determine if their request
came from a human authorized to use the computer or a worm.
Owen
an infected host dnsrbl doesnt sound like a bad idea...
-Dan
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
---Mike
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
This is an artifact of ISP�s wanting to have static IP�s as an add-on premium service
so they provide short lease times and change IP as often as it�s feasible without
interrupting service unneccessarily.
Pete
Huh ? This is an artifact of the way PM3s and MAX 6096s work with respect to how IP addresses are assigned out of pools.... i.e. this is the default behaviour. The same goes for our DSL pool.
---Mike