Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SoBig Virus Update

Published: 2003-08-22
Last Updated: 2003-08-22 19:14:37 UTC
by Handlers (Version: 1)
0 comment(s)
Sobig Update Cycle

SoBig-F, the most recent incarnation in the family of Sobig mass mailing viruses, will be entering its update cycle today at 19:00 UTC. Between 19:00 and 22:00 UTC, the virus will attempt to contact a predefined set of hosts to download updates. At this point, it is not know what the update will do.

The list of "master servers" can be updated remotely by using signed UDP packets to port 995-999.

Threat

The Sobig virus is a significant threat to any network. It opens backdoors, includes proxy servers, and spreads fast across file shares and via e-mail. Detection and removal of infected machines should be a high priority.

Recommendation

Sobig can be detect in several ways:

e-mail: An infected machine will send large amounts of e-mail. It will not use the usual email server but instead send e-mail directly.<Br>
virus scanners: Currently, all major virus scanners will detect Sobig-F.

NTP traffic: The worm will synchronize with various NTP servers to obtain an accurate time.

Counter Measures:

Block all outbound traffic on port 25 unless it is originating from a known mail server. Require users of your network to use this authorized mail server. Implement virus scanning on this mail server.

Block inbound UDP traffic to ports 995-999.

Block outbound UDP traffic to port 8998.

Remind users not to click on e-mail attachments ( http://isc.sans.org/antivirus.pdf )

Only Windows can be infected by this virus. Other operating systems like Linux, OS X, and BSD can be used to protect systems.
Note: Sobig will spoof the 'From' address. It uses e-mail addresses found in cached Internet Explorer files and contact lists. Please configure your anti virus scanners to suppress notifications to senders of Sobig infected e-mail. Likely, the email will not reach the actual sender, but instead will end up in some innocent mailbox.

Further Details:

http://www.f-secure.com/v-descs/sobig_f.shtml

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

Keywords:
0 comment(s)
Diary Archives