New Phase of Sobig.F Set for Fridays

The Sobig.f worm that continues to bedevil computer networks around the globe is poised to unleash a new phase of its havoc between 3:00 PM and 6:00 PM Eastern Standard Time on Friday, security experts warned, even though they may have already blunted its intended effect.

Security firm F-Secure Corporation warned on Friday that the Windows
e-mail worm Sobig.f, already dubbed the most widespread worm in the world
since it began clogging and infecting global computer networks on Tuesday, is planning a new phase of
attack to hit on Fridays and Sundays until it is programmed to expire on Sept. 10th.

The worm infected close to one million computers via e-mail attachments
in e-mails with spoofed addresses (including a spoofed address owned by the
parent company of this publication), experts said. Now, those infected
computers are programmed to start to connect to machines found on an
encrypted list hidden in the virus body. F-Secure said the list contains the
address of 20 computers located in United States, Canada and South Korea and
is expected to start at 3:00 EST Friday.

Once the worm infected a machine, it was then programmed to go to one of those 20 Web sites to pull down code to drop it into the infected machine, said Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus company based in Lynfield, Mass. But he said those 20 machines are believed to be offline.

“These 20 machines seem to be typical home PCs, connected to the Internet
with always-on DSL connections,” said Mikko Hypponen, director of anti-virus
research at F-Secure.

“Most likely the party behind Sobig.f has broken into these computers and
they are now being misused to be part of this attack.”

F-Secure and other experts said the worm connects to one of these 20
servers and authenticates itself with a secret 8-byte code. The servers
respond with a Web address, they said. Infected machines download a program
from this address — and run it. At this moment experts say they are not
sure what the program will do.

F-Secure said it has been able to break into this system and crack the
encryption, but currently the Web address sent by the servers doesn’t go
anywhere.

“The developers of the virus know that we could download the program
beforehand, analyze it and come up with countermeasures,” said Hypponen. “So
apparently their plan is to change the Web address to point to the correct
address or addresses just seconds before the deadline. By the time we get a
copy of the file, the infected computers have already downloaded and run
it.”

The Sobig worms come with a three-stage attack, added Ken Dunham,
malicious code intelligence manager with Reston, Va.-based iDefense, Inc.
The e-mail worm is the first stage, installing a backdoor Trojan is the
second stage and then installing a proxy server is the last stage.

“The backdoor is designed to let the attacker steal information,” said
Dunham. “He could steal password data or the worm could activate a key
logger whenever you’re doing online banking.”

Dunham said if the 20 IPs used in the attack are available and manipulated by the attacker, the attacker can install malicious code of choice on SoBig infected computers connecting to the downloader IP. The code may be anything but has traditionally been a backdoor Trojan (Lala/Hooker) and then a copy of Wingate (proxy server).

“Blocking outbound UDP 8998 activity will successfully block SoBig communications with remote servers hard coded into the code of the worm used for updating itself/installing new code. Additionally, blocking against the NTP server ports may prevent the worm from meeting certain date and time conditions for the secondary and tertiary attacks. Block port 123 and UDP ports 995-999,” Dunham explained.

He also suggested that IT administrators block against the Wingate proxy server if found on a computer so that spam cannot be sent through a formerly infected or currently infected computer.

Since it was discovered this week, the Sobig.f variant of the Sobig worm has been called the fastest-spreading worm ever discovered on the Internet, according to numerous online security firms.

F-Secure also said it has been working with officials, authorities and
various CERT organizations to disconnect the specific machines from the
Internet. “Unfortunately, the writers of this virus have been waiting for
this move too,” said F-Secure’s Hypponen. These 20 machines are chosen from
the networks of different operators, making it quite likely that there won’t be enough time to take them all down by 3:00 EST (19:00 UTC). Even if just one stays up, it will be
enough for the worm, F-Secure said.

F-Secure said the techniques used by the worm make it quite obvious it’s not written by a typical teenage virus writer. “Who’s behind all this? “Looks like organized crime to me,” said Hypponen.

News Around the Web