[ale] sobig.f, organized crime and blaster

J.M. Taylor jtaylor at onlinea.com
Fri Aug 22 16:56:04 EDT 2003 

There are a lot of possiblities for this one.  I can think of dozens of
ways it can go,even from this point. Do we know if it has fallback
behaviour (ie - can't reach NTP servers, so just go with local system
time? can't reach one of the 20 servers, so run Omega13?)?  I have to
admit, I'm a lot more afraid of the *next* version than this one, but I'm
not convinced we've seen the last of .f yet either.

Re the CNN interview about it being from "organized crime" -- I read that
too and had a very amusing mental image of a Godfather (cue music)
ordering a hit on these 20 hapless machines.

In related news, Microsoft has decided with the Blaster worm that they'll
test out a new integrated patching mechanism.  Now, if it were me, and I
had a history of releasing horrible buggy stuff that did more harm than
good, I don't think I'd release a brand new thing to my customers in the
middle of the worst virus week ever. :)

jenn

>
> I wonder. Could it be that sobig.f was more a probe of the anti-virus
> community's abilities to crack the encryption inside the worm than to
> _actually_ do something with the worm? Knowing now something of the
> speed  of response, the authors/perps of this can modify their tactics,
> perhaps  giving 20 ip ranges to examine to the next bit of code next
> time.
>
> Just a thought.
>
>
>
> On Fri, 22 Aug 2003, Brian J. Dowd wrote:
>
>> If it's just one master server left available now, then that would
>> mean  it, alone, must address a "start"
>> message to all of the known "slaves" which have previsouly been
>> compromised by SoBig.F.
>>
>> They will probably be told the target IP address and the DOS attack
>> time  in a *subsequent* message.
>> It could be a while yet before we know what they were told to do and
>> how  many of them can do it.
>>
>> -Brian
>>
>> >Nothing on the news, nothing on F-Secure...it's distressingly quiet
>> with potentially one 'master server' left running to deliver whatever
>> it is that sobig wants...
>> >
>> >Anybody heard/seen anything?  I can't believe we're lucky enough for
>> it to have crapped out at this stage...
>> >
>> >jenn
>> >
>> >
>> >_______________________________________________
>> >Ale mailing list
>> >Ale at ale.org
>> >http://www.ale.org/mailman/listinfo/ale
>> >
>> >
>> >
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>>
>
> --
> =============================================
> If you think Education is expensive
> Try Ignorance
>                    Author Unknown
> ============================================
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list