LISTSERV - GAMBIA-L Archives - LISTSERV.ICORS.ORG

GAMBIA-L Archives

The Gambia and Related Issues Mailing List

GAMBIA-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	GAMBIA-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	FWD:Fast-spreading SoBig.F may harbor a dangerous Trojan.
From:	Musa Amadu Pembo <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Tue, 26 Aug 2003 08:54:43 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (114 lines)

Fast-spreading SoBig.F may harbor a dangerous Trojan
August 22, 2003 | John McCormick |

 Malicious intruders plus vulnerable networks and buggy
software equals a security nightmare. Sleep better by
subscribing to Builder.com's Development Security Spotlight
e-newsletter. Each Tuesday, security expert John McCormick
will provide you with the latest methods for keeping your
development environment safe.

The SoBig.F worm has continued to pound organizations,
ISPs, and individual users to the point that numerous
parties in IT are now calling it the fastest-spreading
virus ever. Now it also appears that the virus and its
variants may be carrying a dangerous hidden Trojan.

The Trojan
According to antivirus companies Sophos and F-Secure, on
Friday, Aug. 22, 2003, beginning precisely at 19:00:00 UTC
(3:00 P.M. Eastern Daylight Time), a Trojan planted by
SoBig.F is scheduled to activate and do something—except
nobody knows just what.

A Central Command Press Release, which appears to be the
first to disclose the hidden encrypted code planted by
SoBig.F, gives the same time, but sets the activation date
as September 10-11. Of course, that doesn't necessarily
mean that Central Command is incorrect; there may be
multiple variants of the Trojan.

F-Secure reports its analysis of the code provides some
server addresses that don't lead to anything right now, and
speculates that the server addresses will be forwarded to
some other address just seconds before the Trojan activates
in order to prevent antivirus analysts from reading the
program and working out countermeasures in advance.

F-Secure is also providing some additional details, such as
the fact that SoBigF appears to have infected nearly 100
million systems in just over four days and, when the Trojan
activates, it will launch itself from 20 ordinary
systems—many of them home computers on cable modems—located
in the U.S., Canada, and Korea. For now, it isn't known
whether the Trojan will try to co-opt other systems already
compromised by SoBig.F or will launch some entirely
different sort of attack.

Although the eventual attack may not be of a serious
nature, this is a highly sophisticated attack, even using
atomic clocks to synchronize the activation of the Trojan,
and chances are good that this is a potentially serious
event. At worst, it could involve some form of
cyberterrorism. Attempts to reach the FBI cybersecurity
division were unsuccessful.

Cleaning up SoBig.F
Although removing SoBig.F from an infected system (unless
it is one of the 20 selected targets) may not have any
effect on slowing this attack, you should still be diligent
in getting it cleaned up—if only because other Trojan
variants may be programmed to do other things on a local
system.

At the very least, block UDP port 8998 on your firewalls
and your systems. That should mitigate damages somewhat by
blocking the worm from downloading any further malicious
code.

The best way to determine if you are infected is to scan
your system(s) with one of the many antivirus programs
(updated with the latest virus signatures), such as the one
from Sophos. Also, Sophos reports that SoBig.F uses the
filename winppr32.exe, and that it copies itself to the
Windows folder, making one of the registry entries shown
here in the process. Because SoBig.F has its own SMTP
engine, collects e-mail addresses from various files on an
infected computer, and then forges the sender's e-mail, it
is very difficult to determine who is infected based on an
infected message.

There are a few manual removal options. Trend Micro
provides manual removal instructions for SoBig.F and McAfee
also has a page with manual removal instructions. All
manual removal requires some complex steps, including
Registry editing, which should only be attempted by IT
professionals and not end users. Also note that Symantec is
offering a free downloadable removal tool.

Final word
The worst of SoBig.F may not be over yet. Because of the
unpredictable dangers inherent with the hidden Trojan that
appears to be included with SoBig.F, every administrator
should move quickly to mitigate the damage that could be
caused by this worm by following the recommendations
mentioned above for removing SoBig.F and blocking its
communications ability.




__________________________________________________
Yahoo! Plus - For a better Internet experience
http://uk.promotions.yahoo.com/yplus/yoffer.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To Search in the Gambia-L archives, go to: http://maelstrom.stjohns.edu/CGI/wa.exe?S1=gambia-l
To contact the List Management, please send an e-mail to:
[log in to unmask]

To unsubscribe/subscribe or view archives of postings, go to the Gambia-L Web interface
at: http://maelstrom.stjohns.edu/archives/gambia-l.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG