Discussion on:

Fast-spreading SoBig.F may harbor a dangerous Trojan

It looks like a lot of work has resulted in the trojan attack being blunted because some security workers were able to decrypt the addresses of the initial PCs which would trigger the event.

Sophos
(http://www.sophos.com/virusinfo/articles/sobigiplist.html) decrypted the following IP addresses as the targets of the SoBig.F Trojan. Blocking communications from these addresses should limit the spread of the worm which could turn around and bite us again through varients which are already out there.

12.158.102.205
12.232.104.221
24.33.66.38
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
61.38.187.59
63.250.82.87
65.92.80.218
65.92.186.145
65.95.193.138
65.93.81.59
65.177.240.194
66.131.207.81
67.9.241.67
67.73.21.6
68.38.159.161
68.50.208.96
218.147.164.29

Right now it looks as if the trojan may reactivate every friday/saturday between now and September 11 so keep the UDP Port 8998 blocked.

The main problem was that we could see that a major event was about to take place but there was absolutely no way to tell what would happen until it occured because we couldn't see what the Trojan would trigger. Aparently this whole thing may just have been a porno site promotion but the police are definately taking this very seriously.

Certainly SoBig.F itself did cause considerable problems and we are just lucky that the Trojan didn't.

From what I understand of the code, it's certainly possible that something else could have been planned and the Trojan creator decided at the last minute to alter the event.

The hidden nature of this Trojan inside a fast-spreading worm will certainly alter the way security personel will evaluate any future worm's potential danger and not just ignore it if it doesn't appear to carry any obviously dangerous payload.

I see lots of people responsible for the virus problem. Those who open anything, admins that don't patch, virus writers, Microsoft, heck even the press for hyping the event to the satisfaction of those that are seeking acknowledgment of their work.

But I can lay some blame on services like Yahoo. Why can't they scan emails and notify their users that the email contains a virus, and warn them about opening the attachments. I use Yahoo, and so far I received about 45 copies of the thing in less than a week. I've gotten four more copies today alone.

If I remember correctly, doesn't AOL automatically intercept virus-containing emails and attachments? If so, maybe AOL isn't as bad as the AOL bashers claim. Maybe services like Yahoo ought to enhance their service.

And as I think about the comments about chopping off the hands of the virus writers, I realize that would cruel and unusual punishment. The only sexual outlet these guys have are Rosie and her five sisters!

Well I actually only consider the creator as really, morally "responsible" but I see your point.

I too use Yahoo, exactly because they have the very latest virus scans on their e-mails. I figure that a customer that size will get the absolute top service from anti-virus companies and will probably get new signatures first.

They have been warning about sobig.f on every page I've seen for a while now. They offer to scan any files before you download them.

But they do need to let legit messages through.

For non-yahoo users, here's a copy of their warning on the e-mail opening page:
"VIRUS ALERT - W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in certain files on your PC. If you receive a message with an attachment with a .pif or .scr extension, we strongly suggest you scan it before downloading. The message may appear to be from someone you know."

AOL has been criticized for years because of slow e-mail service and missing messages. Since I use the net for business more than for personal things, I prefer yahoo's warn and scan system over AOL's scan and toss; delay; toss without scanning, etc. methods.

I know most people shake at the thought of reformatting, but to make sure it is gone why not?

I belive reformatting the ur computer hard disk is a solution to the problem of virus like the SoBig.F and the Trojan. But this is costly and it involves the loosing a lot of data nad still, who know, that as soon as u install ur operating system and connect to the internet the same virus will get in again? Do u have to reformat every now and then to get ride of the Virus? No, i do not think so, the best way is to clean, block, quaranteen etc. Otherwise u may get into lots trouble and loosing softwares like drivers etc which are difficult to get back. I formatted my computer only to realise that the driver for the network card are not available in diskette, and therefore i have to hunt them online!

Time after time news reports of viruses fail to mention that only computers running Windows * and Outlook * are affected. That the SoBig virus affects systems from NT through Server 2003 is clear evidence that Microsoft's "focus on security" was merely more smoke and mirrors. The bug, and that's what it is, utilized by SoBig has apparently survived unchanged in the Windows NT codebase line for at least five years, and has gone undetected during a year and a half of Microsoft's best efforts to find it.

Macs were not affected and Linux machines were not affected except for having mailboxes jammed with hundreds of copies of virus-bearing emails from people who are still stupid enough to be using Microsoft products.

Wake up! Never in history has any company made so much money selling such massively and consistantly defective products. If Microsoft were held financially liable for the cleanup, bandwidth, and aggravation damages from this virus alone, they would be out of business tomorrow.

Certainly Microsoft needs to work on its code, but the blame lays on those who write the code. If Linux or Mac had as many users out there as MS, then these cyber-terrorists would be finding and exploiting code in those products. They want to do the most damage possible.

How about it all you wanna-be hackers out there... how about using your obvious intelligence to help fight the problem, instead of escalating it?

I have to agree with the first message in this link, Microsoft is the major problem here. Because of the fact that MS doesn't care about security, if they did they wouldn't just keep moving these open ports around like they are and just close them completely. They only want to have access to any MS system out there, they have embeded spyware into IE, Outlook, Media player, and now windows from 2k to xp and with the Active X which allows anyone to create Malicious code that can manipulte any windows system that has IE 4.0 and above on it and utilizes Active X. So if MS were serious about security then the first thing that would go would be Active X and the next thing would be to close ALL OPEN PORTS in thier network protocals.

So in FACT the blame really does lay on Microsoft for thier own choices to keep the systems open so they themselves can access it.

I am by no means a huge fan of Microsoft or how they do business, but you should not be so quick to jump on Microsoft. When you have as large a distribution as Microsoft it is no wonder that your operating system will get attacked the most, and thereby have the most known vulnerabilities. There are still vulnerabilities with Linux machines and Macs, they are just not often exploited or well known.

I totally agree with you, tpoland

While what you are saying is partially true, the fact that Linux and Mac aren't attacted as heavily isn't entirely because they are not as well known. For 1 thing Linux is ontop of any security problem as soon as it is found and send out notices as well as have patches as fast as possible. While Microsoft on the other hand has always denied that the problem exists until it is proven by someone that only has 1 option and that is to show the world that the problem exists.

An example of this is the person in UK had been in contact with MS and informed them of an open vulnerabilty in the OS and MS FLATLY denied that it existed the person then went to the media to let everyone know of the problem and told right there on TV what he was going to do to prove it and even gave the info of how to block the attack so that your system would be safe from the virus then informed the public as to the date he was going to do this on, and when MS was asked about this by the Media MS flatly refused to admit that it existed and the person released his bug and sure enough alot of systems got crashed including MS's own systems then MS tried to cover it AFTER the fact with patches.

Sobig.F has its own SMTP engine, so it does not just affect Microsoft Outlook. It is a self contained executable that does not take advantage of any security vulnerabilities in Microsoft Windows or Outlook. The executable only runs on Windows because it was written and compiled to only run on Windows, not because of a security flaw in Windows.

Microsoft has been making progress at improving its security, but you won't see any of those improvements until people start buying the new software instead of using Windows 95 for 8 to 10 years. No one should expect 8 year old software to remain secure, and even brand new software won't remain secure for even a year without some effort on the user's part. That's true whether you're talking OpenBSD, Linux or Windows.

Windows 2000 was programmed and released about the same time as Red Hat Linux 6.x / 7.0, and we all know how secure that is if you don't do squat to secure it. If all those home users were running Linux right now, you'd have the exact same security problems. Dumping Microsoft won't help.

One quick example: those of us who upgraded our
operating systems when M/S released new versions of
Windows frequently lost use of many of our scanners,
printers and other peripherals for weeks -- sometimes
months - while waiting for upgraded drivers. Go through
that a few times, and you are pretty tempted to stick with a
stable system that does what you need without a lot of
fuss.

You state that:
"...but you won't see any of those improvements until people start buying the new software instead of using Windows 95 for 8 to 10 years..."

However Microsoft says:
"Your computer is not vulnerable ...If you are using Microsoft Windows 95, Windows 98, Windows 98 Second Edition (SE), or Windows Millennium (Windows Me)."

It sounds like the old stuff is less vulnerable than their 'new and improved' products.

As much as I dislike MS's tactics and alleged quality, their newer stuff really is generally more secure than their older stuff. It's just that, when making a virus, the author has to decide which OSes to target, and it's so much more fun for them to target the newest ones, even if it can be more work.

Also, we aren't finding new vulnerabilities in the older ones,m so if they want to have bragging rights to having exploited a newly-found bug before MS could patch it, again, they prefer to write to the newer ones.

Truth is, there are plenty of security-related bugs in Linux, too; it's just that the virus writers generally have more fun writing to Win 2000, so there have been very few Linux viruses.

That said, right now, is it safer to have an old (16-bit) than a new (32-bit) version of Windoze? Possibly. For sure, it'll run a lot faster unless you have a LOT of RAM. I'm upgrading my wife's old Win95 box only to Win98 for this reason, myself. Plus, you can get (a legal copy of) Win98 very cheap.

"No one should expect 8 year old software to remain secure, and even brand new software won't remain secure for even a year without some effort on the user's part. That's true whether you're talking OpenBSD, Linux or Windows."
I would agree with that only if Microsoft wouldnt use the same core over and over and over again to build the next Microsoft creation. The same security flaws keep showing up from version to version. Also, What ever happened to testing your product before it leaves your house? A quick rush to beat the competition has made for holie, buggie software.
Why do people keep using the same old package for years...it goes with the old adage "if it aint broke dont fix it". Also in a declining time of profit and rampant layoffs, I doubt anyone has the money or resources to replace operating systems or equipment. Companies cannot afford to just replace everytime Microsoft desides to come down the mountain with "the new Secure Package". Hell, their latest and greatest is talking seriously about major equipment changes. Not good for todays market.
I hear a lot of bashing about Linux but, what is better a select group of programmers under the wing of one lord, or Millions of people looking at your code for free. Linux has that community that has people who thrive on finding holes and reporting them and sometimes even submitting fixes for them. I have been a programmer and stared at code for hrs and had a friend look over my shoulder and say "thats wrong". There could be many mistakes in windows that they are just used to looking at, maby their told to ignore them, who knows? I know Linux is banging on the castle door..... and the door is starting to fall.

The blame is with the criminal who willfullly creates and/or distributes a virus, worm, Trojan or any other code to attack an individual's or organization's computer(s). It seems to me you are saying it's okay for criminals to attack a person's computer just because the software they are using has a vulnerability. I hope this is not your argument. I do believe Microsoft is making an effort to fix code issues. Just because some systems are not being attacked does not mean the software is secure or perfect.

I agree that just because there is an open port, people have to get malicious and exploitive by destroying what others have built. People like this are on the same list as spray-painting taggers.

Just because I don't lock every "Window" in my house doesn't mean I'm inviting burglars.

Well now if you check with your insurance carrier they will tell you different the fact that you leave your windows or door unlocked they will tell you that you are invite burgelers to break in and steal from you and will increase your rates if they find that you don't lock your car doors or house.

I'm an old man by the standards of today's computer types. I grew up in a time when you went to bed at night in any city in this country with your doors unlocked and your windows open. No one tried to break in and steal anything.

Today things are different. If you can find a way into something that does not belong to you, exploit it to the fullest, then blame the guy who left the door open! What a load of crap!

Just because a thing can be done is not good reason to do it, especially when it harms millions of peopole!

These degererates who write and release programs that actively seek and destroy innocent people's computers need to be hunted down and removed in the same way that we are forced to destroy their work from our machines. A seek and destroy mission needs to be launched against these butt heads in the real world... not just in cyber space!

I am getting sick and tired off chasing viruses etc. These hackers need to get out of the house more often and get a life. I would have no problem hacking off a hacker's hand to teach them a valuable lesson.

I had all the patches in place, not a single incident of the big bad SobigF on my network or any other the 150 clients.

These malcontents just need to get laid.

My biggest complaint with Microsoft and Bill Gates is that they long ago should have used some of thier profits to establish a Flying Squad, some Furies if you will, to find the virus writers, drag them kicking and screaming out of their parent's basements and lopping off BOTH hands above the wrists in front of the worldwide press corps.

Might have taken a few dozen sets of hands to get the point across, but I bet the problem would have died down quickly.

Jail hasn't worked, logic hasn't worked. For some reason these vandals seem to feel that (a) every time the let loose a virus/trojan horse/yadda some of Bill Gates wealth will mysteriously appear in thier bank account; and, (b) those of us who have a job to do in IT have nothing better to do that to watch them try.

They are terrorists pure and simple. Elimimate them.

I'd love to see the 'War on Terror' go after some of these hackers and virus writers.

Imagine the surprise on their faces when a real life Ghost Recon Multi-Player session kicks in their door and gives them an MP5 double tap to the chest!

I'd pay to see that. Little bastards.

It's fine to blame Microsoft for the software bugs in their baseline code, but they DO issue service packs, security patches, and updates that close those holes. As a developer, I can tell you that getting things perfect the first time, especially with software as complex as an entire OS is not likely to ever happen. That is what those updates (especially those critical ones)are meant to resolve.
I think it's time that we focus on the masses of uninformed, naive users out there who just do not bother keeping up with the updates. (And yes, this includes the system administrators of some pretty large corporations who should know better!)
I wonder if people who blame Microsoft for the problem with viruses, worms, and trojans also blame the manufacturers of doors and windows when homes get broken into?
The fact is, users are ultimately responsible for securing their own systems. Just about every major virus that has recently circulated has expoited a vulnerability whose patch had been available well in advance of the actual exploit.
I say, as IT professionals, it is part of our job to get the word out to the masses . . . Hey, patch your systems!

I have been receiving mail for the last week or so, with copies of the virus. I have had my email address spoofed by sobig. I have three machines we use on a daily basis. None of them were patched at the time with every latest patch. They still aren't. They are running Windows 2K, NT and ME. None are infected. Why, because I was not stupid enough to open an attachment just because the email says to do so. Starting with the I Love You virus, if people still have not learned to look before they leap, who is at fault?

To be fair, I do not use MS Outlook for my mail. I paid for and installed a different e-mail program, even though Outlook was installed on my machine by default.

Why blame ourselves when we can blame the big evil Microsoft monster? We can really feel that halo on our head then!

Now let me chant:
I will not start a war over Unix vs Windows.
I will not start a war over Unix vs Windows.
I will not start a war over Unix vs Windows.
I will not start a war over Unix vs Windows.

I have to agree that part of the responsibility does of course lie in that of the end user. However, in the case of MS they are to blame in part as well. There have been many examples of MS intentionally not fixing security issues and when someone brings them to the light they are all up in arms. I believe that it is the responsibility of the developers to fix the code as soon as they find/hear of a security issue and it is the responsibility of the end user to apply that fix. Howevet, in some end users defense, especially home users, when you have a slow dialup connection and the patch to fix your computer takes you half a day it's an annoyance and some other solution should be provided. Being able to easily download patches without MS stupid WindowsUpdate would be appreaciated as well as the large onse being slip up into smaller pieces. It has been especially hard for me as a SysAdmin for small rural business to take care of patching my system due to the best connection we can get is 26Kbps. Fortunately we have a firewall in place that has helped protect us and I keep our virus software up to date.

We can blaming virus writers (not hackers) for the reason of intentional damage of course. Let's not be going and blaming hackers. Some virus writers do take the part of exposing security flaws without actually inflicting harm, a slow down of networks I hardly consider harm only an annoyance. Most virus writers do howver intend on destroying data or cause damage in other ways. This is obviously unacceptable. Now let's keep in mind that it is the hackers that help us to find the security flaws. If you are working at MS and try to break your own code you are taking the part of the hacker. Hackers are really:

"A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary."

"One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations."

Please let's look at the whole picture on this issue and not fling generalizations around.

Take a spare unit, load it with whatever windows OS you want updates for, go to windows update, scan for updates, select updates, install updates. While updates are downloading, create a folder called updates. Within that folder, create folders called updatex [(where x is a number starting at 1 and going to 6, or however many are necessary) so you can tell the order in which updates need be applied]. Make sure the system is set to show hidden and system files. Open the WUTemp folder (usually on root). As soon as the downloads complete, copy all files from WUTemp to the folder in "Updates" that correlates to the windows update attempt you are doing. When all updates have been complete, burn them to a CD. Use the qchain utility (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=a85c9cfa-e84c-4723-9c28-f66859060f5d) to run all hotfixes in one folder.

gap

Let's not forget to add in the "clickers" who will open anything received in their e-mail, or that they see on a web site, whether or not they know it is from a safe source. A lot of worms and viruses are spread this way and stopped just by checking first whether you should click or not.

I totally agree. I have neighbors who are on the web constantly. They never install security patches, and some of them don't even have virus protection on their computers!

While I do agree that the uninformed out there need to do the updates to thier OS that is not going to resovle the vulnerability issues, to prove the point!

take a system that has no updates to it go to gcr.com and run shields up note the open ports on the unpatched system, do the updated patches and what not, now go out to gcr.com and run shieldsup again, gee the ports that were open before are now closed! but other ports are now open that were closed before....

So the only real conclusions is, that Microsoft IS THE ONE TO BLAME because they ARE NOT closing the ports but just moving them.

Ahhhh, The endless drone of mindless MS bashers. I would be the first to admit that there are vulnerabilities in MS products, but only a fool says that MAC, Linux, and Novell have none. The thing is, there are so many people that hate Microsoft, and the fact that MS OS's are the most widely used, therefore the most effort in finding vulnerabilities is directed at these products. Anyone with half a brain would realize that the reason that MAC and Linux were not affected is because the worm was designed to attack Microsoft OS's. Any coder worth his own weight in penguins could write hundreds of worms that attack Linux machines. So go back to your MAC and put down the crack pipe.

What utter childish nonsense. More blame the victim stupidity. Why not come knock down my front door with a sledgehammer and then blame the construction company because it the door was not made out of cast iron. When will this idiotic Microsoft bashing stop and we start putting the blame on the malicious criminals and spoiled techno freaks who think it's OK to vandalize other people's property and steal their time and resources because their security is not perfect or because some obscure bug makes it possible. It would be nice to live in a perfect world, but we don't.

Would you...
1) Not wear an overcoat in below-zero weather?
2) Leave your car unlocked on a Harlem street?
3) Drop a lit cigarette in a dry forest?

... Most likely not, because these activities INVITE trouble.

If that's the case, they why would you...
1) Open any e-mail attachment which you did not specifically request and which contains any file with the extension .EXE, .SCR, .PIF, .COM, or .BAT?
2) Continue to use Microsoft Outlook as your e-mail client software?
3) Operate any computer without a hardware or software firewall?

It's USERS, in conjunction with the software companies and service providers, who are responsible for taking BASIC precautions to prevent the infection and spread of malicious code. If you're not willing to go through some basic education and take some basic precautions, you don't deserve to be a member of the online community.

My company's IT policy includes specific user responsibilities, education goals, AND CONSEQUENCES for violators. Our virus problems are virtually non-existent, even in the rare cases when we haven't immediately installed OS security patches.

Eliminate irresponsible users, and you instantly reduce the effectiveness of the virus writers. Bring their success rate closer to zero, and their reward goes away.

The problem is still that Microsoft is treating security as a feature not as the default setting.
When a user buys a new computer or installs a new ver of Windows (you can not expect the ave user who does not know how to set his/her vcr clock to do this:
1) Firewalls should be on by default
2) Critical Updates should be automatically downloaded by default, however, Microsoft has to really distinguish between a real critical sercurity update or the latest ver of Media Player.
3) Windows needs to be less buggy and/or filled with holes that hackers can exploit. For example, scan all code for buffer overflow errors before compiling it, this goes for apps developers too.

I don't really care to have Microsoft's updates automatically downloaded. I've applied many of these updates, and seen too many computers blue screen after applying a "critical" update. Sometimes the update can make the situation "critical".

I prefer to test updates first.

MP

Microsoft bashing will stop when Microsoft finally figures out why you have to reboot microsoft servers every week because of memory loss. Also, it will stop when Word stops locking up soon as I click save....

It is the fixes which blind us from the truth that their is no security.....

knock knock neo!
big brother wants your hard drive.

This is so typical of you to point fingers at the giant. If everyone ran linux then all these viruses would be written as such. The problem isnt MS or Outlook, its untrained users (admins problem) and bad security. I manage/oversee over 180 companies, and only 1 company who failed to notify us they had roaming laptops added to the network brought in the infection. On top of that only those computers were infeceted because our firewalls were locked down both in AND out to allow required traffic.

If you want to know how secure your network and data is, then start with the administrators and implementation of security. Then user training, then blame the software.

If everyone ran linux the virus would be written for it because it would yield the best results. Plain and simple.

Oh yah, and for the record if you check the bugtraq info for last year there was actually more security holes/patches created for linux and open source then for Microsoft..

just my viewpoint anyway...

You are absolutley right about Linux having more security patches and updates, and the reason is! They take action as soon as they can on security issues, unlike Microsoft which only takes action when forced to.

Microsoft is a popular OS with the largest marketshare, of course most viruses and worms are going to target it. But don't think Linux or Macs are immune to viruses - if its a publically available OS, someone somewhere's gonna write a virus against it. I see 1600+ hits for linux viruses at Symantec. And DOS viruses can attack a Mac. Not to mention all the Mac viruses....

For years Billy used to publicly chastize others who said that security must be built into an operating system from the ground up and it is impossible to use tack-ons to resolve security issues. Now, Billy has lost billions of dollars in contracts to government and some corporate entities that know that security and reliability are an important issues.

I find it laughable that Microsoft has the nerve to say it has 99.999% reliable systems when I have never seen any of there products even reach 99.9%. Many of the bugs in XP are carryovers from Win 95, which tells me there is no priority at Microsoft in getting bugs fixed, contrary to what Billy keeps saying.

While 100% bug-free software would be ideal, we live in a world where idiots with nothing to do except destroy spend their time thinking up stupid ways to prove how 'clever' they are. If Apple or Linux were as popular as Windows then they would be attacked instead - but they are so insignificant that virus-idiots don't bother to exploit their faults. All computer users is just as responsible as Microsoft to ensure their computers are safe - by using firewalls and up-to-date anti-virus software, just as car users should ensure their cares are in as near perfect condition as possible, and wear their air-bags. Stop blaming MS, and blame the pea-brains who demonstrate their mental inadequacies by issuing pointless viruses, intent only on destruction. if you know who is responsible, report them. if you don't, don't justify or praise their actions. They deserve help, not encouragement.

Sherlock, don't forget that because MS has the majority rule of the market that most of these viruses were written for Windows. You do have a point though, e.g. the blaster virus, but then that was also written for windows wasn't it.

Yes, there are vulnerabilities in Microsoft Products. The fact is, however, that when you create the amount of database that is involved in a Microsoft product something is bound to be missed. The blame should be placed squarely where it belongs, on the people who have nothing better to do with their lives than disrupt the lives of others. There are many elderly men and women in this country who only know how to use Microsoft because it's easily understood. Many of them are shut-ins, and their only contct with family and friends is through email. They have had their lives disrupted, and since they're on fixed incomes they will never be able to restore their computers. I am 55. I remember when Microsoft gave away Windows for free. I remember when the big boys laughed at Bill Gates.

Yes, Microsoft needs to stop pushing changes so rapidly so their operating systems can be tested further for vulnerabilities, but they aren't to blame.

Virus and trojan writers are!

I do apologize if I seem elementary in my perceptions of the sobig virus and the apparent trojan that piggybacks within as additional payload...

I was and still under the presumption that the virus and related problems, come in an email as an attachment.

One must open the attachment to spawn the virus correct?

If indeed this *is* still the case, it is sutpidity (more lightly) ignorance that is the cause of this latest irritation. Not MS, not even the compiler of the virus itself.

The gun doesn't shoot unless there is a finger on the trigger right?

I am sorry, but any dialogue about this, considering that some fool has to open an attachment, after years and years of continued warnings against such folly, leaves me only to feel someone deserves the agony.

With updated anti-virus, a good firewall program
(AVG/Zonealarm for example) none of this is a problem.

My system caught over 75 instances of sobig on Sunday alone...

Just cause it knocks on the door does not obligate you to answer.

I can't believe this. If I'm missing something here, again, my sincere apoligies and I await enlightenment.

rgds,

TLM Web