Full Disclosure mailing list archives
RE: Anybody know what Sobig.F has downloaded?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 06 Sep 2003 23:53:09 +1200
A few days ago "Ferris, Robin" <R.Ferris () napier ac uk> wrote:
Old News, what most of us are waiting for is the next sobig variant that will come out after sept 10. Some have said that it will be out on the 11th but I think that was just the AV vendors hyping things up (read Symantec, NAI etc ) the smaller ones are more accurate.
I'd not be surprised if we see it sooner, and I mean sooner than 10 September. There is no "need" for Sobig's writer to wait until then to release the next variant, and at least one previous "next variant" was released "early". Given that Sobig.F has been all but a complete failure (in terms of what it seems intended to achieve -- grow the relay and proxy network of the spammers posited to be behind it), it would not be surprising if the next variant were released "ahead of schedule".
For info on the 2nd part go to sophos or something like that they have documented it quite well.
You are badly mistaken. Very, very few public sources of information about the nature of Sobig.F's "second stage" are available for the simple reason that it did not really happen. A couple of astute observations have been made, but not widely publicized (and are very unlikely to be because they are not the kind of thing that neatly boils down into a media-palatable sound bite). Aside from those technical observations, we have had a bunch of companies engaged in self-congratulation and loudly patting themselves on their own backs for what a good job they did in helping to prevent the "second stage". Unfortunately, most of these have essentially been media events where the actual nature of Sobig's "second stage" has been largely, if not entirely, misrepresented -- a significant amount of the "popular media" coverage (and quite some of the FBI, etc sourced material) would lead you to believe that the "second stage" that was so galantly prevented was a DoS against 20 hapless and apparently arbitrarily chosen cable and DSL users around the world. The media coverage of the whole Sobig.F fiasco, and the publicity chase that it inspired -- both in the antivirus & security industry and in law enforcement -- and/or that drove it, would be hilarious had it not done massive damage to the competent forensics work that could have been achieved if the jibbering half-wits that had to tattle their imagined glory to the media had just STFU for a while, for once. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Anybody know what Sobig.F has downloaded? Brent J. Nordquist (Sep 01)
- <Possible follow-ups>
- RE: Anybody know what Sobig.F has downloaded? Ferris, Robin (Sep 02)
- RE: Anybody know what Sobig.F has downloaded? Nick FitzGerald (Sep 06)
- Product activation is exploitable Geoincidents (Sep 06)
- Re: Product activation is exploitable w g (Sep 06)
- RE: Product activation is exploitable Rick Kingslan (Sep 06)
- Re: Product activation is exploitable Kristian Hermansen (Sep 06)
- Re: Product activation is exploitable Lan Guy (Sep 07)
- RE: Product activation is exploitable Rick Kingslan (Sep 07)
- RE: Product activation is exploitable Justin Shin (Sep 07)
- RE: Anybody know what Sobig.F has downloaded? Nick FitzGerald (Sep 06)
- Re: Product activation is exploitable Geoincidents (Sep 07)
- RE: Product activation is exploitable Rick Kingslan (Sep 07)