Loading...
[get complete service list]
Top of page
Top of page
Port Information
Protocol Service Name
tcp roboflow Canto
tcp canto-roboflow Canto RoboFlow Control
Top IPs Scanning
Today Yesterday
198.199.93.93 (7)204.48.20.232 (25)
192.241.224.16 (7)79.124.62.86 (12)
194.180.49.67 (5)162.243.148.23 (10)
107.170.240.20 (5)162.243.128.56 (9)
198.199.92.135 (5)162.243.136.55 (8)
103.197.184.2 (4)79.110.62.185 (8)
35.203.211.175 (4)198.199.101.120 (8)
45.132.1.242 (4)194.26.29.152 (7)
45.55.0.9 (3)159.203.192.11 (5)
198.199.109.30 (3)107.170.252.68 (5)
User Comments
Submitted By Date
Comment
Nick FitzGerald 2009-10-04 18:45:22
-----BEGIN PGP SIGNED MESSAGE----- 8998 UDP is used as the "go get the next stage from here" port on a list of IPs hardcoded into Sobig.D, .E and .F. The listener machines expect a specific signature in any "request" packets and return an encoded string with a URL (often bogus or "misleading"). The Sobig "client" machine decodes this string and downloads and executes the contents of the URL, thus providing an "update" or "add further software to the victim" option to the virus. The Sobig.D, .E and .F variants also have hardcoded "drop dead" dates and access their "contact list" IPs for prescribed periods of time (3 to 5 hours) starting at set times on specific days coordinated through the use of UT obtained from one of several public NTP servers rather than from local time on their victims. Reference URLs (first is a good overview of Sobig family; rest are Sobig.F-specific): http://www.lurhq.com/sobig-e.html http://www3.ca.com/virusinfo/virus.aspx?ID=36376 http://www.f-secure.com/v-descs/sobig_f.shtml http://www.viruslist.com/eng/viruslist.html?id=65735 http://vil.nai.com/vil/content/v_100561.htm http://www.sophos.com/virusinfo/analyses/w32sobigf.html http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F&VSect=T - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAjBlEuoAAAEEAOtCeFmSTxlIORUaSAQOp27CULdaUkdxB+5gJ8x6Fxj6lspL EfPRSFo3Hxk3U2hN7nR66F1akU9g5luuiL06vs0y+9jpq2NwiaDQ+k3kNkkBRse0 gdvMdAgDE3xdrvSU03F2bEI5u/HSomqaG7G9X0Hpb6mN5zL6HY2yC8NpBpE5AAUR tBFuaWNrQHZpcnVzYnRuLmNvbbQzTmljayBGaXR6R2VyYWxkIDxuLmZpdHpnZXJh bGRAY3NjLmNhbnRlcmJ1cnkuYWMubno+iQCVAwUQMJfKPodGPdIwvm+pAQHuGwP7 BuY6A2ag2UzH3DtVxX7F3fE8y+AbXPdTpm1dmMLdq/gN6c+JPgOpMfNOJPgC1/J8 QqmcgvdI01e/opbaXxRF0Q4onrbkBSyCoS9MmT137vM267FZmEKwbfd9/b6V7FuR 7zVrkI6mo12i62EBqYGTiOxBbzIAt2lHfjnOwTLFLWSJAJUCBRAwbI9rjbILw2kG kTkBAXy+A/4u8ewTbPSf2AgoCSz/4xPEqzL2UBWP7kQIELlUqZw22K4OtyZF/07a VoDiLTD+Qy0H7qNoF7jov+pIJIPii3qqoIxokom6KbnEHbT5nhZsrObLAz+DkX+i HpLnmnS0nUuJDg6Hr5WK83LR0s3AtNyWLoNW3a87upxSX+hhI3KE07QdbW9kZXJh dG9yQHZpcnVzLWwuZGVtb24uY28udWu0GG5pY2tAdmlydXMtbC5kZW1vbi5jby51 a7QcY2N0cjEzMkBjc2MuY2FudGVyYnVyeS5hYy5uerQfY2N0cjEzMkBjYW50bmEu Y2FudGVyYnVyeS5hYy5uerQfY2N0cjEzMkBjYW50dWEuY2FudGVyYnVyeS5hYy5u erQfY2N0cjEzMkBjYW50dmEuY2FudGVyYnVyeS5hYy5ueg== =yOoU - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: cp850 iQCVAwUBP0dob42yC8NpBpE5AQGOewQAue8s/XTVd5857ex6no5q4oVvIh/haE8i GveieBsGqmgRa+LK0FGktKRvhfO8CkB41cfsVokfGKHRndPhA3PfVBT+ezSLq6uF co/55N1zDFyMvIYURDUemlSbD99xKpzEYRYzWCQpvdLR8JbPA7INRjT76l8v79pB kINybX5paa4= =+Ssf -----END PGP SIGNATURE-----
Top of page
CVE Links
CVE # Description
Top of page