RE: Anybody know what Sobig.F has downloaded?

[Nick FitzGerald <nick () virus-l demon co uk>]

A few days ago "Ferris, Robin" <R.Ferris () napier ac uk> wrote:

> Old News, what most of us are waiting for is the next sobig variant that
> will come out after sept 10. Some have said that it will be out on the 11th
> but I think that was just the AV vendors hyping things up (read Symantec,
> NAI etc ) the smaller ones are more accurate. 

I'd not be surprised if we see it sooner, and I mean sooner than 10 
September.  There is no "need" for Sobig's writer to wait until then to 
release the next variant, and at least one previous "next variant" was 
released "early".  Given that Sobig.F has been all but a complete 
failure (in terms of what it seems intended to achieve -- grow the 
relay and proxy network of the spammers posited to be behind it), it 
would not be surprising if the next variant were released "ahead of 
schedule".

> For info on the 2nd part go to sophos or something like that they have
> documented it quite well.

You are badly mistaken.

Very, very few public sources of information about the nature of 
Sobig.F's "second stage" are available for the simple reason that it 
did not really happen.  A couple of astute observations have been made, 
but not widely publicized (and are very unlikely to be because they are 
not the kind of thing that neatly boils down into a media-palatable 
sound bite).  Aside from those technical observations, we have had a 
bunch of companies engaged in self-congratulation and loudly patting 
themselves on their own backs for what a good job they did in helping 
to prevent the "second stage".  Unfortunately, most of these have 
essentially been media events where the actual nature of Sobig's 
"second stage" has been largely, if not entirely, misrepresented -- a 
significant amount of the "popular media" coverage (and quite some of 
the FBI, etc sourced material) would lead you to believe that the 
"second stage" that was so galantly prevented was a DoS against 20 
hapless and apparently arbitrarily chosen cable and DSL users around 
the world.

The media coverage of the whole Sobig.F fiasco, and the publicity chase 
that it inspired -- both in the antivirus & security industry and in 
law enforcement -- and/or that drove it, would be hilarious had it not 
done massive damage to the competent forensics work that could have 
been achieved if the jibbering half-wits that had to tattle their 
imagined glory to the media had just STFU for a while, for once.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html