Sobig.F Weekend Attack Thwarted; Feds Hunt Source
Despite claiming a minor victory over a second wave of the fast-spreading worm, experts warn that open ports on infected machines continue to pose a major threat.
Federal authorities successfully thwarted a second-wave attack from the mass-mailing Sobig.F virus over the weekend by taking down 18 computer servers that were being used to distribute a malicious payload.
After identifying 20 compromised server IP addresses that were being used to drop destructive code into infected machines, the FBI spent the weekend shutting down 18 of the master servers, a move that effectively crippled the spread of the virus.
However, security experts are warning that Sobig.F will continue to squirm through email inboxes until September 10, when it is programmed to expire.
Separately, Arizona-based UseNet access provider Easynews.com has confirmed receipt of a subpoena from the FBI for information regarding the uploading of the virus on Monday, August 18.
“The FBI informed Easynews.com that an individual had used the Easynews.com UseNet server to upload the SoBig.F virus on Monday, August 18th. The FBI was requesting any information relating to the account used to upload the virus to the UseNet network,” the company said, confirming that the virus was first uploaded to an adult UseNet group by one of its users.
“It appears the account was created with a stolen credit card for the sole purpose of uploading the virus to the UseNet network.” said Easynews CTO Michael Minor.
Easynews has released the UseNet headers from one of the binary posts that contained the virus.
Meanwhile, F-Secure, one of a slew of anti-virus firms tracking the spread of the virus, noted that Sobig.F will try to activate again at the same time on every following Friday and Sunday until September 10th. But, because the compromised servers have been disconnected, those attempts will fail.
“F-Secure has been attempting to connect to all the 20 machines from three different sensors in three different countries to confirm that they are down. So far, we’ve been unable to connect even once. If we can’t connect, neither can the infected machines – and the activation won’t succeed,” the company said.
There is the possibility that the worm can be re-programmed to update the master list of IP addresses to strengthen a future attack, warns Ken Dunham, a malicious code intelligence manager for iDefense Inc.
“It is believed that UDP ports 995-999 are opened on a SoBig infected computer to enable the attacker to update the master list of IPs used in the attack. If this is true, the attacker could reconfigure remaining SoBig infected computers through UDP communications for a successful attack next Sunday or on future attack dates,” Dunham said in a note issued on Monday.
“If it is determined how the reconfiguring of IP addresses works, any other malicious attacker could redirect infected hosts before September 10 to download and run a binary of his choosing,” Dunham added.
To avoid the heavy carpet bombing experienced last week, Dunham has recommended that outbound UDP 8998 activity be blocked to block SoBig.F communications with remote servers hard coded into the code of the worm used for updating itself/installing new code.
He also urged that UDP ports 995-999 be blocked to help prevent against a possible master IP list update by a malicious actor.
