[ale] sobig.f -- anything yet??

tfreeman at intel.digichem.net tfreeman at intel.digichem.net
Fri Aug 22 16:21:05 EDT 2003



I wonder. Could it be that sobig.f was more a probe of the anti-virus 
community's abilities to crack the encryption inside the worm than to 
_actually_ do something with the worm? Knowing now something of the speed 
of response, the authors/perps of this can modify their tactics, perhaps 
giving 20 ip ranges to examine to the next bit of code next time.

Just a thought.



On Fri, 22 Aug 2003, Brian J. Dowd wrote:

> If it's just one master server left available now, then that would mean 
> it, alone, must address a "start"
> message to all of the known "slaves" which have previsouly been 
> compromised by SoBig.F.
> 
> They will probably be told the target IP address and the DOS attack time 
> in a *subsequent* message.
> It could be a while yet before we know what they were told to do and how 
> many of them can do it.
> 
> -Brian
> 
> >Nothing on the news, nothing on F-Secure...it's distressingly quiet with
> >potentially one 'master server' left running to deliver whatever it is
> >that sobig wants...
> >
> >Anybody heard/seen anything?  I can't believe we're lucky enough for it to
> >have crapped out at this stage...
> >
> >jenn
> >
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> >  
> >
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 

-- 
=============================================
If you think Education is expensive
Try Ignorance
                   Author Unknown
============================================

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list