Full Disclosure mailing list archives
RE: Sobig has a surprise...
From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Fri, 22 Aug 2003 19:15:17 -0500
After reviewing the actual firewall logs I find my initial report was not entirely correct. There were two variants, not three, and the second variant contacted a list of 5 hosts, none of which were on the "big" list of 20 hosts. The second list of five addresses (all seem to be on cable or dsl networks) is given below. List published by Sophos and others 12.158.102.205 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 24.206.75.137 24.210.182.156 61.38.187.59 63.250.82.87 65.92.80.218 65.92.186.145 65.95.193.138 65.93.81.59 65.177.240.194 66.131.207.81 67.9.241.67 67.73.21.6 68.38.159.161 68.50.208.96 218.147.164.29 Addresses contacted by infected systems on our network Infected machine 1 67.164.250.26/8998 129.244.36.194/8998 67.73.60.121/8998 218.146.139.246/8998 66.169.84.77/8998 Infected machine 2 67.164.250.26/8998 129.244.36.194/8998 67.73.60.121/8998 218.146.139.246/8998 66.169.84.77/8998 Infected machine 3 68.50.208.96/8998 12.232.104.221/8998 218.147.164.29/8998 24.33.66.38/8998 12.158.102.205/8998 24.197.143.132/8998 24.206.75.137/8998 24.202.91.43/8998 24.210.182.156/8998 61.38.187.59/8998 65.92.80.218/8998 63.250.82.87/8998 65.92.186.145/8998 I don't believe we can get a copy of the virus off the machines with the variant. The machines don't belong to us, even though they are on our network. Jerry -----Original Message----- From: Andre Ludwig [mailto:ALudwig () Calfingroup com] Sent: Friday, August 22, 2003 6:33 PM To: Jerry Heidtke Subject: RE: [Full-disclosure] Sobig has a surprise... Anyway you could possibly capture a copy of your variant and post it on the web in a zip file. I would also be interested in seeing the list of ips that you have. Andre Ludwig, CISSP -----Original Message----- From: Jerry Heidtke [mailto:jheidtke () fmlh edu] Sent: Friday, August 22, 2003 3:11 PM To: Jamie L Thompson; Florian Weimer Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Sobig has a surprise... All the experts were totally faked out. While everyone was concentrating on getting the "magic 20" machines shut down, no one realized that different copies of Sobig.f had different lists of servers to contact. We put a block of udp port 8998 on our firewall this morning. We had 3 previously undetected infected machines on our network, each of which tried to contact a different list of 20 machines. One of the lists corresponds to the one that Sophos and others have published. The other two lists have no addresses in common with the published list, or with each other. I wonder how many different sets of servers there were, how many different variants of Sobig.f there were, and how many infected machines now have some additional trojan, worm, or ddos code waiting for a command to do something. Jerry -----Original Message----- From: Jamie L Thompson [mailto:jlt () raytheon com] Sent: Friday, August 22, 2003 3:17 PM To: Florian Weimer Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Sobig has a surprise... Sophos has the list of ips posted. Florian Weimer <fw () deneb enyo de> Sent by: full-disclosure-admin () lists netsys com 08/22/2003 03:19 PM To: Steve Postma <spostma () travizon com> cc: "'full-disclosure () lists netsys com'" <full-disclosure () lists netsys com> Subject: Re: [Full-disclosure] Sobig has a surprise... Steve Postma <spostma () travizon com> cites:
However, the Sobig.F worm has a surprise attack in its sleeve."
From the web site:
| "As soon as we were able to crack the encryption used by the worm to | hide the list of the 20 machines, we've been trying to close them | down", explains Mikko Hypponen. 18 of 20 addresses where known to the AV community since Tuesday. I don't know what F-Secure is doing here. Why don't they publish the list of IP addresses so that people can put filters on their networks? *sigh* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Sobig has a surprise..., (continued)
- Re: Sobig has a surprise... Michael Scheidell (Aug 22)
- Re: Sobig has a surprise... Paul Schmehl (Aug 22)
- RE: Sobig has a surprise... Paul Schmehl (Aug 22)
- RE: Sobig has a surprise... Ron DuFresne (Aug 23)
- RE: Sobig has a surprise... Paul Schmehl (Aug 23)
- RE: Sobig has a surprise... Ron DuFresne (Aug 23)
- Re: Sobig has a surprise... Michael Scheidell (Aug 22)
- RE: Sobig has a surprise... Paul Schmehl (Aug 23)