All the experts were totally faked out. While everyone was concentrating on getting the "magic 20" machines shut down, no one realized that different copies of Sobig.f had different lists of servers to contact.
We put a block of udp port 8998 on our firewall this morning. We had 3 previously undetected infected machines on our network, each of which tried to contact a different list of 20 machines. One of the lists corresponds to the one that Sophos and others have published. The other two lists have no addresses in common with the published list, or with each other. I wonder how many different sets of servers there were, how many different variants of Sobig.f there were, and how many infected machines now have some additional trojan, worm, or ddos code waiting for a command to do something. Jerry -----Original Message----- From: Jamie L Thompson [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 3:17 PM To: Florian Weimer Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sobig has a surprise... Sophos has the list of ips posted. Florian Weimer <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/22/2003 03:19 PM To: Steve Postma <[EMAIL PROTECTED]> cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: Re: [Full-Disclosure] Sobig has a surprise... Steve Postma <[EMAIL PROTECTED]> cites: > However, the Sobig.F worm has a surprise attack in its sleeve." >From the web site: | "As soon as we were able to crack the encryption used by the worm to | hide the list of the 20 machines, we've been trying to close them | down", explains Mikko Hypponen. 18 of 20 addresses where known to the AV community since Tuesday. I don't know what F-Secure is doing here. Why don't they publish the list of IP addresses so that people can put filters on their networks? *sigh* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
