From: InfoSec News (isnc4i.org)
Date: Fri Aug 29 2003 - 03:21:10 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.eweek.com/article2/0,3959,1231802,00.asp

By Dennis Fisher
August 26, 2003

It turns out that SoBig.F is even less original than previously
thought.

The self-updating capability that had anti-virus experts, users and
even the FBI scrambling this weekend was in fact present in some of
the earlier versions of the virus, albeit in a somewhat less advanced
form.

"That capability was in previous versions. I think what set off the
red flag this time is the prevalence of this version and the potential
for what could happen," said Ian Hameroff, eTrust security strategist
at Computer Associates International Inc., in Islandia, N.Y.

A couple of anti-virus vendors on Friday announced that they had
discovered a new feature of SoBig.F that instructed infected machines
to connect to one of 20 IP addresses that were hidden in the virus's
code. The PCs were then supposed to download and execute an unknown
file. Security experts feared that the file could be a Trojan or some
tool for launching a broader attack.

However, authorities were able to locate and shut down the vast
majority of the 20 machines, and the expected onslaught of activity
never materialized. The self-updating capability was first seen in
SoBig.C, but until this latest version, none of the viruses had the
list of IP addresses for infected machines to contact.

Although they were able to deflect the mystery attack, anti-virus
experts nonetheless are still worried about the long-term implications
of SoBig.F. The virus spread more quickly than any other piece of
malware in history and has infected countless machines. It is the
sixth version of the SoBig virus to appear, and each iteration of the
virus also contains an expiration date, after which the virus is
programmed to stop trying to spread.

These facts have led some experts to speculate that the SoBig viruses
are being written, released and subsequently improved upon by
professionals who have some larger goal in mind than simply flooding
inboxes with useless e-mail.

The fact that some portion of the self-updating feature was in
previous versions of the virus would appear to bolster the argument
for this trial-and-error scenario. But some in the anti-virus
community don't buy it.

"We haven't seen any evidence of this being used as a mechanism for
sending commercial spam," said Chris Wraight, technology consultant at
Sophos Inc., an enterprise anti-virus company based in Lynnfield,
Mass. "It's definitely weird that a new one is released so often. It's
almost like beta testing."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]