Sobig.f Latest Virus Info

[TCH-Dick]

Title: Second and Third Stage SoBig Worm Infections Imminent

 

Abstract: The second and third stage attacks of the highly prevalent

SoBig.F worm are set to strike Aug. 22 and 23 from 3 to 6 p.m. EST

(1900-2200 UTC/GMT). Unbeknownst to most individuals, SoBig worms

actually infect computers in three distinct phases.

 

Description: The second and third stage attacks of the highly prevalent

SoBig.F worm are set to strike Aug. 22 and 23 from 3 to 6 p.m. EST

(1900-2200 UTC/GMT). Unbeknownst to most individuals, SoBig worms

actually infect computers in three distinct phases. If successful,

computers are infected with a backdoor Trojan and proxy server.

 

The Three Stages of SoBig

 

The first phase is the aggressive seeding and spreading of SoBig worm

code through e-mail and through open network shares. The second stage is

the installation of a backdoor Trojan horse. The third stage is the

installation of a proxy server on the infected computer.

 

 

 

Updates to the SoBig Family

 

SoBig worms all have the same general characteristics. Each variant has

been updated in various ways to avoid anti-virus detection of software

installed, to avoid rapid shutdown of remote websites hosting code, to

fix bugs in the code and to add new features. For example, SoBig.F

doesn't accidentally truncate the extension of the e-mail attachment and

has a multi-threaded SMTP engine for aggressive distribution of the

code. Perhaps the most important update regarding the installation of

additional malicious code is the change in the downloader component of

SoBig, seen in SoBig.D.

 

SoBig Downloader Component

 

SoBig.A had a simple downloader component. It simply checked the local

time of the computer and, when conditions were right, attempted to

retrieve a text file from a remote website. This website was hardcoded

into the worm code. Upon visiting this website early in the outbreak it

contained no data. However, a short time later analysts found a URL that

pointed to another server that hosted a backdoor Trojan horse. Worse, a

few hours later another URL appeared, pointing to a cracked copy of

WinGate to install a proxy server on the infected computer.

 

The idea behind the sequential downloader attack is simple. Infect a

large number of computers quickly using standard worm techniques. Then

install a backdoor Trojan to steal cached password data and gain remote

backdoor access to infected computers. This also enables the attacker to

database the IP addresses of all infected computers via the Trojan horse

notification. The third stage of infection is then used to infected

computers that are still online with a proxy server so that these

computers can be used to tunnel through to protect the identity of the

author, send out spam or seed malicious code into the wild.

 

Significant Changes to the Downloader Component

 

The problem with a downloader solution like this is that it relies

heavily upon the website(s) hardcoded into the malicious code. Once

security experts identify such remote websites, such sites are rapidly

removed from the Internet. Once removed, the author of SoBig is no

longer able to update computers with backdoor Trojan horse programs or

the proxy server. When SoBig.D came out in June 2003, about six months

after the first variant of SoBig, it changed tactics regarding the

downloader component.

 

SoBig.D did not use Geocities websites for the attack but used victim

computers instead. By identifying infected computers that always have

the same IP address, the author of SoBig was able to use them as file

servers for his secondary and tertiary attacks. It's much more difficult

to shut down the service to a subscriber than it is a Geocities website.

Additionally, multiple URLs can quickly be seeded to the downloader

addresses, pointing to multiple secondary file servers.

 

SoBig.F Attacks Pending

 

SoBig.F has 20 different high-speed IP addresses of various victims

included in the code. When SoBig.F secondary and tertiary conditions are

met, these computers are then infected with new malicious code. Instead

of using the local time, which is often incorrect, SoBig.F gathers the

date and time from remote NTP servers. This way every single infected

computer is performing coordinated downloads at the exact same time so

that the malicious actor carefully controls the rollout of a backdoor

Trojan and proxy server to infected SoBig computers.

 

As of Friday, Aug. 22, 2003, at 1900-2200 UTC hours (3 - 6 PM EST), the

SoBig worms will begin to communicate with the 20 victimized computers

with encrypted communications. At that time a backdoor Trojan horse will

likely be installed on all SoBig-infected computers. On Sunday, Aug. 24,

2003, for the same period, this process is repeated and will likely

result in the installation of the WinGate proxy server, customized for

malicious purposes. iDEFENSE is working closely with authorities in an

attempt to remove access to these 20 computers to help prevent the

installation of new malicious code on SoBig-infected computers.

 

Alias: SoBig, Win32.Sobig.f, W32.Sobig.F@mm, Sobig.F, W32/Sobig.f@MM,

WORM SOBIG.F

 

Analysis: SoBig.F is the fastest spreading and most widespread worm to

date, at least based on total interceptions. However, total

interceptions don't accurately reflect the total number of computers

infected with the worm. One computer may repeatedly perform mass

mailings to generate literally thousands of infected e-mails within a

short period. Millions of interceptions of SoBig.F have been made in the

first 36 hours of the outbreak, but a much smaller number of computers

are likely infected.

 

Several hundred thousand computers are likely infected with SoBig worms

to date. The malicious actor responsible for SoBig can remotely control

formerly infected computers as well as newly compromised computers ?

 

Detection: Remove all files associated with this malicious code threat.

Restore corrupted or damaged files with clean back-up copies. Restore

files potentially overwritten by the worm. Validate functionality of all

anti-virus and security-related software. Harden all accounts and

passwords against attack. Also look for Lala/Hooker and WinGate software

packages potentially installed by the SoBig worm, in addition to other

malicious codes.

 

Recovery: Remove all files associated with this malicious code threat.

Restore corrupted or damaged files with clean back-up copies. Restore

files potentially overwritten by the worm. Validate functionality of all

anti-virus and security-related software. Harden all accounts and

passwords against attack.

 

Workaround: Configure e-mail servers and workstations to block the file

types BAT, EXE, PIF, SCR, UUE, VBS, ZIP and others that are commonly

used by malicious code to spread to other computers. Carefully manage

all new files, scanning them with updated anti-virus software using

heuristics prior to use.

 

Simply blocking SCR and PIF e-mail attachments will likely effectively

block the e-mail component of this worm. Limit network shares as much as

possible to protect against the network shares component of this worm.

Especially avoid sharing startup directories and startup files that may

be exploited by such malicious code.

 

Vendor Fix: Multiple anti-virus vendors have released updated signature

files to protect against this malicious code. However, former variants

of SoBig worms have released new, undetected variants of the Lala/Hooker

worm.

[ztrauq]

Does anyone know to what extent this worm had affected TCH servers? I know that it's caused some problems with my ISP's connectivity, and I was just wondering how well TCH is weathering this onslaught.

[TCH-Andy]

Sobig only affects microsoft - hence the servers are themselves totally immune and unaffected

[Deverill]

Unaffected except for the CPU cycles and bandwidth wasted rejecting virus attempts. But there's probably no visible slowdown. These doggone viruses aren't harmless even if they don't "getcha".