> All the experts were totally faked out. While everyone was > concentrating on getting the "magic 20" machines shut down, > no one realized that different copies of Sobig.f had > different lists of servers to contact. > > We put a block of udp port 8998 on our firewall this morning. > We had 3 previously undetected infected machines on our > network, each of which tried to contact a different list of > 20 machines. One of the lists corresponds to the one that > Sophos and others have published. The other two lists have no > addresses in common with the published list, or with each other.
care to publish those ips? > I wonder how many different sets of servers there were, how > many different variants of Sobig.f there were, and how many > infected machines now have some additional trojan, worm, or > ddos code waiting for a command to do something. <insert theme from "jeopardy"> -d _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
