Information Security News mailing list archives
Update on Sobig stage 2
From: InfoSec News <isn () c4i org>
Date: Mon, 25 Aug 2003 02:37:58 -0500 (CDT)
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca> About 4 hours before it was due to trigger, F-Secure found an encrypted section of code in the Sobig virus that indicated an unsuspected payload. At 1900H UTC (noon, PDT) on Friday, infected computers would try to connect to a number of servers, download a program, and run it. Within that four hour period, F-Secure, possibly with the assistance of other institutions, was able to contact the ISPs for these machines, and have them all shut down. (One remains up. Presumably it has been turned into a honeypot, a form of trap for the people who intended to use it for the attack.) At this time, we do not know what the intention of the so-called "Stage 2" payload was, but the plan shows evidence of very careful planning, and, given the extreme number of Sobig infections, it could have been very serious. http://www.f-secure.com/news/items/news_2003082200.shtml http://www.f-secure.com/v-descs/sobig_f.shtml ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () sun soci niu edu Madness takes its toll. Please have exact change ready. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Update on Sobig stage 2 InfoSec News (Aug 25)