godIZme
08-22-2003, 06:30 AM
Update your Antivirus Definitions, a big bad one out there suppose to hit today at 3pm our time. Here is the alert!!!
A Potentially Massive Internet Attack Starts Today; Sobig.F
2003-08-22 07:38 (New York)
Downloads and Executes a Mysterious Program on
Friday at 19:00 UTC
Business Editors/High-Tech Writers
SAN JOSE, Calif.--(BUSINESS WIRE)--Aug. 22, 2003--F-Secure
Corporation is warning about a new level of attack to be unleashed by
the Sobig.F worm today.
Windows e-mail worm Sobig.F, which is currently the most
widespread worm in the world, has created massive e-mail outages
globally since it was found on Tuesday the 18th of August -- four days
ago. The worm spreads itself via infected e-mail attachments in
e-mails with a spoofed sender address. Total amount of infected
e-mails seen in the Internet since this attack started is close to 100
million.
However, the Sobig.F worm has a surprise attack in its sleeve. All
the infected computers are entering a second phase today, on Friday
the 22nd of August, 2003. These computers are using atom clocks to
synchronize the activation to start exactly at the same time around
the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London,
05:00 on Saturday in Sydney).
On this moment, the worm starts to connect to machines found from
an encrypted list hidden in the virus body. The list contains the
address of 20 computers located in USA, Canada and South Korea.
"These 20 machines seem to be typical home PCs, connected to the
Internet with always-on DSL connections," says Mikko Hypponen,
Director of Anti-Virus Research at F-Secure. "Most likely the party
behind Sobig.F has broken into these computers and they are now being
misused to be part of this attack."
The worm connects to one of these 20 servers and authenticates
itself with a secret 8-byte code. The servers respond with a web
address. Infected machines download a program from this address -- and
run it. At this moment it is completely unknown what this mystery
program will do.
F-Secure has been able to break into this system and crack the
encryption, but currently the web address sent by the servers doesn't
go anywhere. "The developers of the virus know that we could download
the program beforehand, analyse it and come up with countermeasures,"
says Hypponen. "So apparently their plan is to change the web address
to point to the correct address or addresses just seconds before the
deadline. By the time we get a copy of the file, the infected
computers have already downloaded and run it."
Right now, nobody knows what this program does. It could do
damage, like deleting files or unleash network attacks. Earlier
versions of Sobig have executed similar but simpler routines. With
Sobig.E, the worm downloaded a program which removed the virus itself
(to hide its tracks), and then started to steal users network and web
passwords. After this the worm installed a hidden email proxy, which
has been used by various spammers to send their bulk commercial emails
through these machines without the owners of the computers knowing
anything about it. Sobig.F might do something similar -- but we won't
know until 19:00 UTC today.
"As soon as we were able to crack the encryption used by the worm
to hide the list of the 20 machines, we've been trying to close them
down," explains Mikko Hypponen. F-Secure has been working with
officials, authorities and various CERT organizations to disconnect
these machines from the Internet. "Unfortunately, the writers of this
virus have been waiting for this move too." These 20 machines are
chosen from the networks of different operators, making it quite
likely that there won't be enough time to take them all down by 19:00
UTC. Even if just one stays up, it will be enough for the worm.
The advanced techniques used by the worm make it quite obvious
it's not written by a typical teenage virus writer. The fact that
previous Sobig variants we're used by spammers on a large scale adds
an element of financial gain. Who's behind all this? "Looks like
organized crime to me," comments Mikko Hypponen.
F-Secure is monitoring the Sobig.F developments through the night
on Friday the 22nd. Updates will be posted to Sobig.F's virus
description at http://www.f-secure.com/v-descs/sobig_f.shtml
About F-Secure
F-Secure Corporation is the leading provider of centrally managed
security solutions for the mobile enterprise. The company's
award-winning products include antivirus, file encryption and network
security solutions for major platforms from desktops to servers and
from laptops to handhelds. Founded in 1988, F-Secure has been listed
on the Helsinki Exchanges since November 1999. The company is
headquartered in Helsinki, Finland, with the North American
headquarters in San Jose, California, as well as offices in Germany,
Sweden, Japan and the United Kingdom and regional offices in the USA.
F-Secure is supported by a network of value added resellers and
distributors in over 90 countries around the globe. Through licensing
and distribution agreements, the company's security applications are
available for the products of the leading handheld equipment
manufacturers, such as Nokia and HP.
SoBig.F Alert
Be on the lookout for the following attachments:
application.pif
details.pif
document_9446.pif
document_all.pif
movie0045.pif
thank_you.pif
your_details.pif
your_document.pif
wicked_scr.scr
A Potentially Massive Internet Attack Starts Today; Sobig.F
2003-08-22 07:38 (New York)
Downloads and Executes a Mysterious Program on
Friday at 19:00 UTC
Business Editors/High-Tech Writers
SAN JOSE, Calif.--(BUSINESS WIRE)--Aug. 22, 2003--F-Secure
Corporation is warning about a new level of attack to be unleashed by
the Sobig.F worm today.
Windows e-mail worm Sobig.F, which is currently the most
widespread worm in the world, has created massive e-mail outages
globally since it was found on Tuesday the 18th of August -- four days
ago. The worm spreads itself via infected e-mail attachments in
e-mails with a spoofed sender address. Total amount of infected
e-mails seen in the Internet since this attack started is close to 100
million.
However, the Sobig.F worm has a surprise attack in its sleeve. All
the infected computers are entering a second phase today, on Friday
the 22nd of August, 2003. These computers are using atom clocks to
synchronize the activation to start exactly at the same time around
the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London,
05:00 on Saturday in Sydney).
On this moment, the worm starts to connect to machines found from
an encrypted list hidden in the virus body. The list contains the
address of 20 computers located in USA, Canada and South Korea.
"These 20 machines seem to be typical home PCs, connected to the
Internet with always-on DSL connections," says Mikko Hypponen,
Director of Anti-Virus Research at F-Secure. "Most likely the party
behind Sobig.F has broken into these computers and they are now being
misused to be part of this attack."
The worm connects to one of these 20 servers and authenticates
itself with a secret 8-byte code. The servers respond with a web
address. Infected machines download a program from this address -- and
run it. At this moment it is completely unknown what this mystery
program will do.
F-Secure has been able to break into this system and crack the
encryption, but currently the web address sent by the servers doesn't
go anywhere. "The developers of the virus know that we could download
the program beforehand, analyse it and come up with countermeasures,"
says Hypponen. "So apparently their plan is to change the web address
to point to the correct address or addresses just seconds before the
deadline. By the time we get a copy of the file, the infected
computers have already downloaded and run it."
Right now, nobody knows what this program does. It could do
damage, like deleting files or unleash network attacks. Earlier
versions of Sobig have executed similar but simpler routines. With
Sobig.E, the worm downloaded a program which removed the virus itself
(to hide its tracks), and then started to steal users network and web
passwords. After this the worm installed a hidden email proxy, which
has been used by various spammers to send their bulk commercial emails
through these machines without the owners of the computers knowing
anything about it. Sobig.F might do something similar -- but we won't
know until 19:00 UTC today.
"As soon as we were able to crack the encryption used by the worm
to hide the list of the 20 machines, we've been trying to close them
down," explains Mikko Hypponen. F-Secure has been working with
officials, authorities and various CERT organizations to disconnect
these machines from the Internet. "Unfortunately, the writers of this
virus have been waiting for this move too." These 20 machines are
chosen from the networks of different operators, making it quite
likely that there won't be enough time to take them all down by 19:00
UTC. Even if just one stays up, it will be enough for the worm.
The advanced techniques used by the worm make it quite obvious
it's not written by a typical teenage virus writer. The fact that
previous Sobig variants we're used by spammers on a large scale adds
an element of financial gain. Who's behind all this? "Looks like
organized crime to me," comments Mikko Hypponen.
F-Secure is monitoring the Sobig.F developments through the night
on Friday the 22nd. Updates will be posted to Sobig.F's virus
description at http://www.f-secure.com/v-descs/sobig_f.shtml
About F-Secure
F-Secure Corporation is the leading provider of centrally managed
security solutions for the mobile enterprise. The company's
award-winning products include antivirus, file encryption and network
security solutions for major platforms from desktops to servers and
from laptops to handhelds. Founded in 1988, F-Secure has been listed
on the Helsinki Exchanges since November 1999. The company is
headquartered in Helsinki, Finland, with the North American
headquarters in San Jose, California, as well as offices in Germany,
Sweden, Japan and the United Kingdom and regional offices in the USA.
F-Secure is supported by a network of value added resellers and
distributors in over 90 countries around the globe. Through licensing
and distribution agreements, the company's security applications are
available for the products of the leading handheld equipment
manufacturers, such as Nokia and HP.
SoBig.F Alert
Be on the lookout for the following attachments:
application.pif
details.pif
document_9446.pif
document_all.pif
movie0045.pif
thank_you.pif
your_details.pif
your_document.pif
wicked_scr.scr