nanog mailing list archives

RE: Sobig.f surprise attack today

From: "Austad, Jay" <JAustad () temgweb com>
Date: Fri, 22 Aug 2003 16:37:48 -0500


I don't think the purpose was to DoS them.  It looks like some of them were
hosts on Comcast's cable network, probably some user machines being used to
host the second part of the payload.

I just want to know what the second part of this thing does.  It's better
than watching TV.  :)

-----Original Message-----
From: Mark Segal [mailto:MSegal () Corporate FCIBroadband com]
Sent: Friday, August 22, 2003 4:05 PM
To: 'netadm'; 'nanog () merit edu'
Subject: RE: Sobig.f surprise attack today

My questions is what were those servers.. Was the purpose to denial of
service attack them?  If so we just assisted that.. :)

mark

--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband

-----Original Message-----
From: netadm [mailto:netadm () infolink com] 
Sent: August 22, 2003 3:50 PM
To: nanog () merit edu
Subject: RE: Sobig.f surprise attack today

From http://www.f-secure.com/v-descs/sobig_f.shtml
-----------------------------------------------------------------
Update on 19:00 UTC 

When deadline for the attack was passed, one machine was still
(somewhat) up. However, immediatly after the deadline, this 
machine (located
in the USA) was totally swamped under network traffic. 

We've tried connecting to it, just like the virus does. We do 
this from
three different sensors from three different machines in 
three different
countries. We haven't been able to connect to it once. If we 
can't connect,
neither can the viruses. 

So the attack failed. Whoa. 

We'll keep monitoring until 22:00 UTC. If we're not able to 
connect once, we
can safely say that the attack was prevented. 

-----Original Message-----
From: Andrew Kerr [mailto:andrew_kerr () iamnos ca] 
Sent: Friday, August 22, 2003 3:43 PM
To: Jay Hennigan
Cc: nanog () merit edu
Subject: Re: Sobig.f surprise attack today

Jay Hennigan wrote:

On Fri, 22 Aug 2003, Andrew Kerr wrote:

Its been posted here, and f-secure has it, but I wrote a

quick script

to keep an eye on the 20 servers and dump the output to a

simple page:


http://207.195.54.37/sobig.html

(Updates about every 5 mins)



You're probing the list of NTP servers the worm uses to get

the date,

not the list of hosts to which it "phones home".



A few people pointed that out.  By the time this message hits 
the list, 
it should be corrected.

Current thread:

Re: Sobig.f surprise attack today, (continued)
- - - Re: Sobig.f surprise attack today Damian Gerow (Aug 28)
    - Re: Sobig.f surprise attack today Petri Helenius (Aug 28)
    - Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)
- RE: Sobig.f surprise attack today Matthew Kaufman (Aug 22)
- RE: Sobig.f surprise attack today Vachon, Scott (Aug 22)
  - Re: Sobig.f surprise attack today steve uurtamo (Aug 22)
- RE: Sobig.f surprise attack today Todd Mitchell - lists (Aug 22)
- RE: Sobig.f surprise attack today Irwin Lazar (Aug 22)
- RE: Sobig.f surprise attack today netadm (Aug 22)
- RE: Sobig.f surprise attack today Mark Segal (Aug 22)
- RE: Sobig.f surprise attack today Austad, Jay (Aug 22)
- RE: Sobig.f surprise attack today Dr. Jeffrey Race (Aug 22)