The Sobig.f worm ... is poised to unleash a new phase of its havoc between 3:00 PM and 6:00 PM Eastern Standard Time on Friday. ... [it] is planning a new phase of attack to hit on Fridays and Sundays until it ... expire[s] on Sept. 10th.
... infected computers are programmed to start to connect to machines found on an encrypted list hidden in the virus body. ... the list contains the address of 20 computers located in United States, Canada and South Korea ...
Once the worm infected a machine, it was then programmed to go to one of those 20 Web sites to pull down code to drop it into the infected machine, ... those 20 machines are believed to be [currently] offline. [They] seem to be typical home PCs, connected to the Internet with always-on DSL connections," ... "Most likely the party behind Sobig.f has broken into these computers and they are now being misused to be part of this attack."
... [Sobig.F] connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a Web address ... Infected machines download a program from this address -- and run it. At this moment experts say they are not sure what the program will do.
F-Secure said it has been able to break into this system and crack the encryption, but currently the Web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyze it and come up with countermeasures," ... "So apparently their plan is to change the Web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."
The Sobig worms come with a three-stage attack, ... The e-mail worm is the first stage, installing a backdoor Trojan is the second stage and then installing a proxy server is the last stage. "The backdoor [Trojan] is designed to let the attacker steal information," ... "He could steal password data or the worm could activate a key logger whenever you're doing online banking."
... if the 20 IPs used in the attack are available and manipulated by the attacker, the attacker can install malicious code of choice on SoBig infected computers connecting to the downloader IP. The code may be anything but has traditionally been a backdoor Trojan (Lala/Hooker) and then a copy of Wingate (proxy server).
"Blocking outbound UDP 8998 activity will successfully block SoBig communications with remote servers hard coded into the code of the worm used for updating itself/installing new code. Additionally, blocking against the NTP server ports may prevent the worm from meeting certain date and time conditions for the secondary and tertiary attacks. [Also] Block port 123 and UDP ports 995-999," ... and ... block against the Wingate proxy server if found on a computer so that spam cannot be sent through a formerly infected or currently infected computer.
Reply With Quote
