Has Sobig Picked a New Target?

Romanian researchers claim to have discovered a variant of the Sobig.F virus that looks to mail and domain name servers at Time Warner Telecom for information about how to modify its behavior.

The first Sobig.F virus contained an encrypted list of the IP addresses of 20 servers. At a predetermined time, the virus would contact each server in turn until one responded with the URL of a file, which the virus would then try to download and execute.

Last week, antivirus software developers and network operators raced to identify and shut down the 20 servers, before the machines could issue instructions to the virus. Now, it seems, the goalposts may have been moved. A variant of the virus, containing a different list of servers to contact, is circulating.

Servers Fingered

The newest Sobig.F variant contains an encrypted list of the names of seven servers operated by Time Warner Telecom, according to researchers at Softwin SRL, an antivirus software company in Bucharest, Romania.

Two of the servers are Simple Mail Transfer Protocol (SMTP) servers that the virus uses to send out more copies of itself in infected e-mail messages, according to Mihai Chiriac, who works on Softwin's BitDefender antivirus software. The virus tries to contact the other five--apparently domain name servers--on port 8998 to ask for the URL of a file to download and execute.

"When the virus tried to access the servers on that particular port, the servers did not respond because that port was closed. But this may mean that some time from now, that port may be opened. We have to look at every possibility," Chiriac says.

Chiriac found the decrypted domain names stored in his PC's memory while he was analyzing the behavior of the Sobig.F virus. Softwin has received at least three messages containing the variant, which had apparently been sent to the company randomly by the virus, and not deliberately by a human being, he says. He has not yet determined what triggers the virus to contact the TWT servers.

A Time Warner Telecom representative was not immediately able to comment on the matter.

Power of Redirection

Staff at another antivirus software company, MessageLabs of Gloucester, England, had not yet encountered the variant. But a company representative finds it intriguing that the virus might update itself using a list of domain names, rather than a list of IP addresses.

"It's interesting because it means they can update the addresses externally by manipulating the DNS," says Paul Wood, chief information security analyst for MessageLabs.

In this way, the target of the virus can be changed without the virus itself needing to be updated, Wood says.

According to Softwin's Chiriac, the variant Sobig.F is detected by antivirus software in the same way as the original Sobig.F, only the data segment of the virus is different, he adds.