Quantcast
Subscribe to magazine

Sobig.F Could Strike Again

Hidden code instructs infected computers to launch mass attack.

Paul Roberts, IDG News Service

  • 0 Yes
  • 0 No

Security experts are warning of a possible attack or mass action by machines infected with the Sobig.F worm scheduled to begin at 3 p.m. EST on Friday.

Code buried deep in the Sobig.F worm will cause afflicted Microsoft Windows machines worldwide to simultaneously connect to an as-yet unknown Web page and download a software program, according to security company F-Secure of Helsinki. The machines are using a number of atomic clocks worldwide to synchronize activities and coordinate the mass action, F-Secure said.

Hidden Threat

Researchers at F-Secure have analyzed the Sobig.F worm code and discovered the instructions, which are similar to those found in previous editions of the Sobig.F virus, said Mikko Hypponen, head of antivirus research at F-Secure.

For Sobig.F, F-Secure researchers cracked an encrypted list of 20 IP addresses that the infected machines will attempt to connect to, trying each in order until a successful connection is made.

Those IP addresses belong to Sobig-infected machines outfitted by the Sobig.F authors with instructions to receive requests from other Sobig.F machines and to respond with the location of a file that those machines should download and run, Hypponen said.

"These are probably easy-to-crack machines from around the world -- Windows boxes where the user has no idea that the machine is infected and is being used in the attack," he said.

Unknown Agenda

Currently, the 20 Sobig.F "server" machines contain instructions to download a nonexistent file on the www.sex.com domain, but the person or people behind Sobig.F will probably wait until the last second before uploading the real instructions to the 20 machines.

"Obviously the logic of the virus writers is to change the URL (pointing to the file) just before the attack starts. They're thinking about how we work and trying to make it harder," he said.

Without seeing the actual instructions that infected Sobig.F machines download by the thousands, it's impossible to know what the Sobig.F machines will be directed to do, Hypponen said.

For example, if the virus author sent instructions for the Sobig.F machines to download a file on Microsoft's Web page or that of another high-profile target, it could create a massive denial-of-service attack, he said.

The Spam Connection

Previous editions of Sobig.F downloaded software programs that turn infected machines into so-called "open proxies," Hypponen said. Open proxies act as e-mail distribution hubs allowing anonymous sending of massive waves of spam. Sobig.F's author may be planning to do the same, creating a large network of open proxies that can be used for future spam campaigns.

Security experts have long noted the connections between the Sobig.F worm and the work of spammers, who use open proxies to cover their tracks while barraging e-mail accounts with solicitations for pornography, "get rich quick" scams and cheap prescription drugs.

In an attempt to control the flood of spam e-mail, Internet service providers have been cracking down on loosely managed open proxies, prompting spammers to look for ways to create new proxies, Hypponen said. Security companies have noted a correlation between the appearance of worms like Sobig.F and an increase in spam traffic from open proxies.

Plan of Attack

After deciphering the attack, F-Secure contacted both the European Computer Emergency Response Team and the U.S. Federal Bureau of Investigation regarding the threat, which contacted the ISPs that the Sobig.F servers are using and asked them to suspend the machines' Internet connections, Hypponen said.

As of Friday morning, 12 of 20 Sobig.F servers had been taken offline and authorities were working to contact other affected ISPs.

The job of shutting down the servers has been complicated, in part because the Sobig.F authors took precautions when selecting the machines to use as servers, making sure that each was controlled by a different ISP worldwide.

The FBI has analyzed the Sobig.F code and is aware of the planned attack, said Bill Murray, a spokesman for the FBI's cyber division. The agency is working with the Information Analysis and Infrastructure Protection Directorate of the Department of Homeland Security and other federal agencies to develop a strategy to help mitigate further spread of the Sobig.F code, he said.

The FBI also launched an investigation into Sobig.F and is trying to determine who released the code into the wild, Murray said. Individuals with information about the Sobig.F worm that might help investigators should contact their local FBI field office, he said.

  • Recommend this story?
  • 0 Yes
    0 No
 

Featured APC Accessories

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links