Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Update on Sobig stage 2

From: InfoSec News <isn () c4i org>
Date: Mon, 25 Aug 2003 02:37:58 -0500 (CDT)
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

About 4 hours before it was due to trigger, F-Secure found an
encrypted section of code in the Sobig virus that indicated an
unsuspected payload.  At 1900H UTC (noon, PDT) on Friday, infected
computers would try to connect to a number of servers, download a
program, and run it.

Within that four hour period, F-Secure, possibly with the assistance
of other institutions, was able to contact the ISPs for these
machines, and have them all shut down.  (One remains up.  Presumably
it has been turned into a honeypot, a form of trap for the people who
intended to use it for the attack.)

At this time, we do not know what the intention of the so-called
"Stage 2"  payload was, but the plan shows evidence of very careful
planning, and, given the extreme number of Sobig infections, it could
have been very serious.

http://www.f-secure.com/news/items/news_2003082200.shtml
http://www.f-secure.com/v-descs/sobig_f.shtml

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
       Madness takes its toll.  Please have exact change ready.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: