Sobig-F Trojan fails to make an impact

By Shawna McAlearney, Online Editor, Information Security magazine 22 Aug 2003 | Information Security magazine

Digg This!     StumbleUpon     Del.icio.us

A predicted massive Internet attack by Trojan code in Sobig-F failed to materialize Friday, and antivirus experts are now saying the virus' activity should begin tapering off.

Sobig-F was scheduled to download an unknown application every Friday and Sunday from Aug. 22 through Sept. 10, between 3 p.m. and 6 p.m. EDT. Virus-infected machines attempted to contact one of 20 remote servers, authenticate and then receive a URL to download and run an application. Santa Clara, Calif.-based Network Associates, Inc. says that those servers didn't respond.

NAI says 15 of the remote servers were disabled by their ISPs; five are unavailable for unknown reasons. "This prevented Sobig-F from spreading as anticipated," says Craig Schmugar, a virus research engineer at NAI. "We expect the same results going forward."

Symantec believes the virus has the ability to update the master list of servers during the payload launch time.

Infected machines are programmed to check for a new list of servers to contact, but Kevin Haley, group product manager at Symantec Security Response says, "If the servers aren't up, it can't happen. I would expect none of the servers will be available Sunday -- we expect that the threat has really passed."

Sobig-F is programmed to stop spreading Sept. 10; the next variant is expected on or near Sept. 11. "Sobig's creator has developed a predictable pattern of releasing new variants soon after the current version deactivates itself," says Steven Sundermeier, vice president of products and services at Central Command, based in Medina, Ohio. "If the past repeats itself, we could be looking at a newly constructed creation shortly after Sept. 10."

Some antivirus experts were speculating that the Sobig-F writer would use infected machines -- also known as zombies -- to launch a distributed denial-of-service attack.

"The code downloaded by Sobig-F could do anything that is possible through a program," says Graham Cluley, senior antivirus technologist at Sophos. "So, it could range from wiping out files, to stealing information or displaying a jpeg of Bill Gates without any trousers on."

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Sobig-F ready to download mystery program

Virus Alert: Sobig-F and Nachi

SearchSecurity.com news exclusive: "Sobig-F reaching epidemic proportions

Tags: Industry,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Breach forces payroll service provider PayChoice to shut down again SSH key compromise shuts down Apache website Twitter, Facebook hit by denial-of-service attacks Is a partnership certification worth the money? Part III -- security Experts weigh in on spyware's defining moment Presentation: Employee monitoring -- Balancing best practices and privacy Presentation: Security budgets -- Getting what you need Presentation: Understanding business requirements -- A blueprint for digital security Presentation: Staffing security positions -- How to choose the right personnel Organized fraud: Internet hackers conduct coordinated hacking attempts

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary