Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Origin Of Sobig (And Its Next Phase)

timothy posted more than 10 years ago | from the 5-percent-is-plenty dept.

Security 500

MrZeebo writes "According to this story at Canada.com, the FBI, along with other authorities, have traced the origin of the Sobig worm. The quick timeline: Apparently, an earlier version of the worm installed a backdoor on a home computer in British Columbia. The creator of the worm used this compromised computer to create a Usenet account with Easynews.com in Phoenix, using a stolen credit card. The worm spread from Usenet, and contained the IP addresses of 20 computers to contact on Friday, and to download an unknown program from those computers. Officials were able to take 19 of these computers offline before the mass-download. However, the 20th computer stayed online, and many copies of the worm were able to get the rogue program. Those that did were merely redirected to a porn site, no damage done. However, now infected computers will continue to try and connect to the other 19 every Friday and Sunday until the worm expires on Sept. 10th." Reader muldoonaz points out this brief Reuters story about the investigation, too.

cancel ×

500 comments

Re: Wicked screensaver (4, Funny)

JohnGrahamCumming (684871) | more than 10 years ago | (#6774473)

Please see the attached file for details.

Re: Wicked screensaver (4, Funny)

mjmalone (677326) | more than 10 years ago | (#6774487)

WARNING!!! (from zidane.cc.vt.edu)


The following message attachments were flagged by the antivirus scanner:

Attachment [2.2] application.pif, virus infected: W32/Sobig-F. Action taken: deleted
PWN'D

Warning: your computer has a virus (0)

Anonymous Coward | more than 10 years ago | (#6774585)

WARNING!!! (from zidane.cc.vt.edu)

The following message attachments were flagged by the antivirus scanner:

Attachment [2.2] application.pif, virus infected: W32/Sobig-F. Action taken: deleted

Re:Warning: your computer has a virus (2, Insightful)

mjmalone (677326) | more than 10 years ago | (#6774635)

No, actually the mailservers at vt.edu scan for virii, they flagged it and deleted the attachment. I ran FixSobig-F.exe just to make sure, virus free.

PUTTING USA TO IT'S KNEES!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6774620)

As we have witnessed, ALL IT TAKES TO PUT USA TO IT'S KNEES is a couple of Boeing 747s. The whole nation can be put down on it's knees with them.

And hitting some power station can shut NEW YORK. It is pretty clear that the terrorists will win. Their next attack will be devastating I predict. USA is SO FUCKING vulnerable!!! It's time to wake up to a reality!!!

Perhaps some day one of these viruses will put USA to it's knees. The government runs Windows! Un-FUCKING-believable!

Re:PUTTING USA TO IT'S KNEES!! (0)

Anonymous Coward | more than 10 years ago | (#6774637)

Yeah, it's pretty ridiculous... Government agencies should get rid of Windows.

Re:PUTTING USA TO IT'S KNEES!! (0)

Anonymous Coward | more than 10 years ago | (#6774650)


It's time to wake up to a reality!!!

It's time to wake up to English grammar!!!

Re:PUTTING USA TO IT'S KNEES!! (2, Insightful)

mjmalone (677326) | more than 10 years ago | (#6774651)

Nice spam, but I would argue that those Boeing 747s did not in fact bring the nation to it's knees. It just pissed off some drunken rednecks and gave them an excuse to steal the rest of the worlds oil and call anyone against their plot of world domination an unpatriotic yankee.

Re:PUTTING USA TO IT'S KNEES!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6774666)

Yeah, you are right. What happend on 9/11 was sad, of course, but it really proved that USA is very vulnerable.

Re:PUTTING USA TO IT'S KNEES!! (1)

justinburt (262452) | more than 10 years ago | (#6774668)



Whew! Aren't trolls usually posted anonymously?

Justin

Re:PUTTING USA TO IT'S KNEES!! (0)

Anonymous Coward | more than 10 years ago | (#6774678)

Justin baby. Are you the one who is trolling?

Re:PUTTING USA TO IT'S KNEES!! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#6774663)

You are a Bush-hating terrorist and a Linux loving commie.

Get out of America you filthy liberal!!

(Posting as AC because there's no way this will be modded funny, even though it is funny.)

Next time (0, Redundant)

xijix (143366) | more than 10 years ago | (#6774475)

Well....next time it will do something really bad, I swear!

GAY NIGGERS OF AMERICA! (-1, Troll)

Staos (700036) | more than 10 years ago | (#6774477)

YEAH

Erkel Voice (-1, Offtopic)

phlyingpenguin (466669) | more than 10 years ago | (#6774480)

Did I do thaaaaaaat?

First post (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6774485)

holy shit first post

YOU FAIL IT! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6774519)

HOLY SHIT YOU FAIL!

Re:YOU FAIL IT! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6774600)

Keep it up. Your work here is silently appreciated by the majority of people who read at -1.

Re:YOU FAIL IT! (0)

Anonymous Coward | more than 10 years ago | (#6774641)

Yeah, baby: YEAH!

fp (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6774486)

cocksucks

YOU FAIL IT! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#6774532)

YOU SO FUCKING FAIL IT!

Linux (0, Offtopic)

brokencomputer (695672) | more than 10 years ago | (#6774490)

Now if the computers hadn't been running windows and they would have crashed anyway and wouldnt have been able to execute it. Oh wait they were running windows. I guess windows(and any crashable OS) only crashes during important data writing.

What a nice guy though (4, Insightful)

Anonymous Coward | more than 10 years ago | (#6774492)

An expiration date was actually coded into the worm? Seems pretty ironic.

Re:What a nice guy though (5, Funny)

EpsCylonB (307640) | more than 10 years ago | (#6774546)

Anyone else think this sounds like a bad hollywood plot ?

We only have 48 hours to shut down 20 randomn computers or the internet is brought to it's knees.

Re:What a nice guy though (2, Funny)

Anonymous Coward | more than 10 years ago | (#6774557)

Speed meets The Net. Three cheers for Sandra Bullock!

Re: What a nice guy though (2, Funny)

Black Parrot (19622) | more than 10 years ago | (#6774611)


> Anyone else think this sounds like a bad hollywood plot? We only have 48 hours to shut down 20 randomn computers or the internet is brought to it's knees.

Worm author sells movie rights to pay legal fees...

Re:What a nice guy though (1)

s88 (255181) | more than 10 years ago | (#6774672)

uh yea... just about as ironic as rain on your wedding day, alanis.

I Love You (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6774494)

This is old news fellas. Slashdot is just recycled crap anymore.

Methods used to obfuscate worm code (5, Interesting)

Anonymous Coward | more than 10 years ago | (#6774497)

How can the operation of code like this be so uncertain when its relatively small and known? I assume the worm doesn't download keys as it runs to unlock further sections of code... How difficult is it to know what exactly these things do when they have a complete binary copy disassembled?

this is why (4, Funny)

commodoresloat (172735) | more than 10 years ago | (#6774593)

This is why worms need to be open source. Proprietary worms do a disservice to the worm community!

Another day, another worm (4, Interesting)

KingDaveRa (620784) | more than 10 years ago | (#6774498)

These worms amaze and worry me all at once. They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned. Its major shock-horror time when one happens. That's not to say people should take them lightly though.

They worry me because of the fact they do all the above. These things are just a little power trip for all concerned. Microsoft's latest idea of forcing Windows Update could stop this - but only with the new versions of windows. We're going to have older versions kicking around for years to come.

Ultimately, could Microsoft be blamed for these viruses? After all, if they didn't miss these bugs, the viruses wouldn't have a mechanism to run on. But should we blame the guys producing Apache when a flaw is found in that? Personally, I think its unfair to blame MS for all of this.

Re:Another day, another worm (2, Insightful)

brokencomputer (695672) | more than 10 years ago | (#6774503)

most people dont update even when its forced. they click wait 1 minute every minute and never do. anyway by the time the virus spreads it is too late. I think it is totally fair to blame MS. They wrote bad code that allowed itself to be exploited.

Re:Another day, another worm (1)

KingDaveRa (620784) | more than 10 years ago | (#6774533)

Having seen people at work cancel automatic backups because 'its too slow', I don't have a lot of sympathy for some users. People need educating on these things though - keep things patched and we'll all be happy, rather than 'don't patch and the devil will take your children and infect your computer'

Re:Another day, another worm (1)

hetta (414084) | more than 10 years ago | (#6774627)

That's why you schedule your backups for after hours, surely. If you don't, don't blame the user, blame yourself for not understanding how people work.

Re:Another day, another worm (1, Troll)

wasabii (693236) | more than 10 years ago | (#6774544)

I think MS is to blaim. But not because they left a hole, in fact, they didn't with SoBig. SoBig is a simple executable attachment. What they did however was put no effort into making it hard for these programs to be launched! Look at any unix mailer, does it have an "Open" button to launch a downloaded program? Mozilla? No. You have to go out of your way to save a file to disk, mark it executable, and run it. Windows was designed to make it easy to spread virus, until MS fixes that, yes, they are at fault.

Re:Another day, another worm (3, Interesting)

dhwebb (526291) | more than 10 years ago | (#6774681)

I agree with you that SoBig isn't a security hole in MS's code, but I like the "Open from here" features. You said that you should have to save to disk, mark executable, then run it. Guess what, if that's how it was then people would do that and still get the worm/virus. For some reason, end-users have to look at everything that comes through their inbox. How many people do you know that run linux as root because it's easier, and even though they know they shouldn't. Seriously, I know some very smart people, and they are guilty of it and say, "You just gotta be a little more careful."

That's they whole prevention of this kind of thing, have updated antivirus defs, know what your opening (NOT what the email says either), and just because it came from your mom doesn't mean:
a. she's not immune from worms
b. it actually came from her

But amazingly, you tell an EU this and they just keep doing it and acting such the victim when they actually get infected. I actually had an EU call me over to ask me about an e-mail that actually had SoBig on Thursday. I told her not to open it because it was a virus, well she looks at me and says, "Oh don't worry, it doesn't do anything watch." And believe it or not, she sat their and opened the email and double-clicked the attachment to show me it didn't do anything. Just amazing.

Re:Another day, another worm (1)

Brad Mace (624801) | more than 10 years ago | (#6774513)

Ultimately, could Microsoft be blamed for these viruses? After all, if they didn't miss these bugs, the viruses wouldn't have a mechanism to run on. But should we blame the guys producing Apache when a flaw is found in that? Personally, I think its unfair to blame MS for all of this. Whether it's fair to blame them depends on how hard they tried to find and fix the holes. If someone could show that microsoft made only a token effort, they'd probably have grounds to sue for damages. (IANALBIPOOSD)

Re:Another day, another worm (1)

Stephen Samuel (106962) | more than 10 years ago | (#6774578)

Ultimately, could Microsoft be blamed for these viruses?

Read the MS EULA. Microsoft may be indemnifying people against possible IP problems (for hidden software). On the other hand, damned if they're going to indemnify their users against real problems.

Re:Another day, another worm (1, Insightful)

Anonymous Coward | more than 10 years ago | (#6774515)

This worm does not exploit any vulnerabilities in Windows. It just sends an evil attachment.

The only thing being exploited here is stupidity. Not even windows update can fix that.

Forced Grid Computing? (3, Interesting)

Corpus_Callosum (617295) | more than 10 years ago | (#6774534)

They amaze because of the massive power they have over networks, PCs and most importantly the people they affect. Worm viruses are up there with Cancer or AIDs as far as some people are concerned.

How long until we see more organized worms that communicate with each other to achieve a goal (such as cracking an RSA key)? It seems that stealthy worms could already be out there, slowly infultrating and lodging themselves into message handlers or whatnot...

BTW: Yes, I do think we can blame MS... Their software does make this stuff possible.

Re:Another day, another worm (1, Funny)

Anonymous Coward | more than 10 years ago | (#6774540)

Ultimately, could Microsoft be blamed for these viruses?

Of course not you tool. This worm spread VIA USENET AND E-MAIL. Christ, RTFA before spouting your anti-MS BS.

Re:Another day, another worm (1, Interesting)

Anonymous Coward | more than 10 years ago | (#6774547)

Yes, perhaps people could actually start blaming those people who actually write the virii or worms. Wouldn't that be a novel concept.
"But M$ is baaaaaaaad! If they wrote better programming, it wouldn't happen! *fume fume*"
Right. And if people built better houses/cars, we'd never have break-ins. There will always be overlooked security holes. No matter what you do to lock them, people will find more and use them in a destructive manner. Lock your front door and a burglar will pick the lock. Build a better lock and whoops! You forgot to lock the window.
Lock the window and the burglar breaks it instead. Get unbreakable glass and the burglar finds more devious ways in. Is it foolish to leave your house unlocked while on vacation? Most certainly. But anyone taking something from your house is still a thief and is ultimately responsible for stealing.

Re:Another day, another worm (0)

Anonymous Coward | more than 10 years ago | (#6774565)

> Worm viruses are up there with Cancer or AIDs as far as some people are concerned.

Stupidest comparision in the known universe; the people who think this don't know anyone they care about who has cancer or AIDS.

It's a virus, not a worm (0)

Anonymous Coward | more than 10 years ago | (#6774622)

Worms are programs that make new copies of themselves and then destroy the originals. In essence, they move from place to place rather than spreading the way a virus would.

Of course, a lot of people have been confused over the last decade or so because of the Morris worm, which was intended to function like a virus 5% of the time (although it actually did so 95% of the time, due to a one character bug).

But we're SlashDot readers, and we aim to be tech-savvy, so let's get our terminology right, even if C|Net doesn't.

Re:Another day, another worm (0, Redundant)

justinburt (262452) | more than 10 years ago | (#6774631)



Ultimately, could Microsoft be blamed for these viruses?

I have an idea I haven't seen mentioned elsewhere: perhaps the virus writers should be blamed for these viruses.

Justin

Damn... (4, Flamebait)

seanadams.com (463190) | more than 10 years ago | (#6774501)

Am I the only one who's a little bummed that this virus may have been stopped dead in it's tracks here? I mean, my inbox got slammed with crap just like everyone else's, but because nearly all of my systems are running relatively [freebsd.org] secure [apple.com] operating systems [kernel.org] , I've just kinda chuckle each time another dozen mesages shows up automatically routed to my "Junk/virii" folder.

It is pure, gleeful schadenfeude for me to think of all the hapless PHBs and MSCSE CIOs who are finally being given a little hint as to just how vulnerable they've left their companies. In the short term yes, many people will be inconvenienced and possibly some critical systems knocked out. But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.

Re: Damn... (3, Interesting)

Black Parrot (19622) | more than 10 years ago | (#6774541)


> But these hapless companies and also the public sector will eventually be forced to learn, and that's ultimately a good thing for all of us.

Essentially these have been serving as vaccinations rather than infections, because they're provoking an antibody response that will (should) reduce the impact of a genuinely hostile worm when it finally comes out.

The vaccination isn't completely effective, since so many people obviously aren't hardening their systems, but some are, and the experts are getting a lot of practice at trapping, analyzing, and defusing the worms on a tight schedule. If this had come out a couple of years ago the response might not have been quick enough to shut the 19 sites down.

Still waitin' for the big one, though.

Re:Damn... (0)

Anonymous Coward | more than 10 years ago | (#6774543)

The parent post was submitted by Nick Burns.

Nobody seems to care. (1)

Meat Blaster (578650) | more than 10 years ago | (#6774576)

We all share the Internet, and worms such as this muddy the waters for even those of us who use properly secured systems. Events like this make it plain that best security practices are no longer optional for a stable Internet, and we'd all be better off if some degree of diligence was mandated legally or as a term of service by each ISP before it became possible to connect a system to everybody else's.

Antiviral software is virtually a must to avoid the myriad of malware that circulates the WWW. People who don't keep upgrading to the most recent version of Windows/related applications leave us all open via their vulnerability. A closer look is necessary at providing services like P2P and binary downloads via e-mail or Usenet, which are responsible for nine out of ten infections (the rest being worms that automatically exploit bugs in networked computers without user intervention).

At some point, all software should be vetted for buffer overflows and certified by a trusted entity before being permitted for use on an open network. Only then can we stem the tide of attacks on our greatest electronic resource from these malcontents.

Re:Nobody seems to care. (1, Interesting)

Anonymous Coward | more than 10 years ago | (#6774664)

At some point, all software should be vetted for buffer overflows and certified by a trusted entity before being permitted for use on an open network. Only then can we stem the tide of attacks on our greatest electronic resource from these malcontents.

Are you trolling, or do you not realize that you've just advocated the elimination of free software, both as in beer and in speech?

Don't be so smug (0)

Anonymous Coward | more than 10 years ago | (#6774670)

Run properly, WinXP is just as secure as any of the OS's you mentioned. Like everyone else, I've been bombarded by virus-infected e-mails and attempts by worms to infiltrate my systems, but thanks to a hardware firewall, anti-virus software, and an appropriately cautious approach to file attachments, I got off without a scratch. In fact, I've NEVER had a virus or worm on any system I've controlled, going back to 1979.

Re:Damn... (0)

Anonymous Coward | more than 10 years ago | (#6774684)

What I find ironic is that these worms do these MS guys a favor. What these worms do on a widespread and generic fasion a decent cracker can do on a narrowly-focused and tenasous manner much more effectively.

This means that if you got hit by a worm, you computer systems were laying wide open for any hacker to attack and take control of.

This worm mearly wanted you to go to a porn site, not take all your trade secrets/steal your finacial data/create fake identities/steal money electronicly/steal credit card # and other customer information etc etc etc etc etc.

This worm is a crackers way of saying "wake up and smell the f***ing coffee before you get hacked like the b***h you are."

hmmm (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#6774502)

but what's the origin of CmdrTaco's anal-sex fetish?

Re:hmmm (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6774549)

i think it involves a size 12 butt-plug given to him by his uncle Larry, Christmas 1987.

Re:hmmm (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6774560)

but what's the origin of CmdrTaco's anal-sex fetish?
dude, have you ever stuck it up a girl's pooper? it's bliss.

Movie (0, Offtopic)

msgmonkey (599753) | more than 10 years ago | (#6774505)

The whole summary sounds like some Matricesque (sp?) movie with little plot twists thrown in there for good measure.

Re:Movie - dear god, it's the plot of Hackers! (1, Funny)

Anonymous Coward | more than 10 years ago | (#6774674)

Next stage will be when the sobig virus targets the stability software on oil tankers... and Angelina Jolie will rescue us with her superfast laptop running a huge *28.8 modem*...

Ahh... nostalgia for things that have only just happened - that's what I love about being a science fiction fan!

Instructions to cure worm. (0)

Anonymous Coward | more than 10 years ago | (#6774509)

1) Right click the clock on your taskbar,
2) click adjust date and time,
3) set date to 11/09/2003, click OK
4) ???
5) No more worm! (Just have to use an external clock to keep track of the time until the REAL 11/09/2003 comes around)

Re:Instructions to cure worm. (5, Informative)

JohnGrahamCumming (684871) | more than 10 years ago | (#6774548)

Actually the worm included its own NTP client which it would use to verify the date by querying NTP servers on the Internet.

Hence this doesn't work. I thought this was a nice touch on the part of the worm author. As well as including NTP, they author had their own SMTP server for sending the messages and used a regular expression engine to search for email addresses on the machine.

This was not written by a script kiddie.

John.

Re:Instructions to cure worm. (2, Interesting)

Guppy06 (410832) | more than 10 years ago | (#6774642)

What happens if I block outbound NTP requests?

Correction (5, Interesting)

idiotnot (302133) | more than 10 years ago | (#6774512)

Actually, "officials" were only able to take down thirteen of the twenty hosts targed. Six were already down due to MS Blaster.

Re:Correction (0)

Anonymous Coward | more than 10 years ago | (#6774575)

The 3r337 worm and virii wars begin...

Re:Correction (1)

nordicfrost (118437) | more than 10 years ago | (#6774581)

Cool! Source?

The porn site moneymaking scheme? (5, Interesting)

Rkane (465411) | more than 10 years ago | (#6774514)

I want to know what 'officials' are doing about this alleged porn site that the computers are being aimed at. It may very well be just a random site that the author chose, but I would definitely look into the possibility of the site owners being in on this.

Furthermore, what is the address of this porn site? I think we net admins have a valid right to "research" this threat using the company broadband!

Re:The porn site moneymaking scheme? (1)

Openadvocate (573093) | more than 10 years ago | (#6774566)

If the writer of the worm had gone through all the steps he had to hide the origins, I doubt that that he is the owner of that site.
The reasons for him linking to it could range from a random site to a paid job, but I doubt the latter. Everyone with half a brain know what they have to face if they get caught and the efforts that have gone into find people in earlier cases. But then again, there are stupid people out there.

Porn webmasters are always ahead of the curve (4, Insightful)

mikeophile (647318) | more than 10 years ago | (#6774522)

How long till the straight marketeers catch on with worms to move hits over their sites?

Already exists (4, Funny)

Ciderx (524837) | more than 10 years ago | (#6774556)

Its called "W32/SitePostedOnSlashdot"

the perfect solution was missed. not too late! (5, Interesting)

goombah99 (560566) | more than 10 years ago | (#6774525)

why not put the virus fixing script on the 19 computers, plus some choice words about MS security and the need to patch.

IN fact why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix

Re:the perfect solution was missed. not too late! (4, Interesting)

rusty0101 (565565) | more than 10 years ago | (#6774570)

That's one of the perpetual fights going on. The two sides are the administrators who are tired of the fact that there are all too many systems with poor adminstration being done which happen to also be on the internet, vs. the administrators who think that if someone did this to them that they would be out of a job for happening to have poor security. (I happen to believe that those adminstrators who do have this happen to them should be out of a job for poor security, but that's a different matter.)

I think that the worst case situation would be that a security engineer finds a flaw and uses an exploit of that flaw to patch all systems against the flaw, then announces to Microsoft that the flaw existed, here is the exploit, here is the fix, and oh, by the way, the fix has been applied to nearly every Windows SV on the Net, as well as a few others. The problem then is that Microsoft would have the problem of deciding whether they should sue the security engineer or applaud him.

I think the concern of Microsoft would be whether the fix is worse than the flaw. Since they did not provide it, their own licences do not apply to the patch, which means that nearly every computer with the code installed would effectively be running unlicenced code which Microsoft might find themselves liable for. Especially if there is a flaw in it.

-Rusty

It's NOT too late. (4, Interesting)

Stephen Samuel (106962) | more than 10 years ago | (#6774591)

The viruses will be 'calling home' every Friday and Sunday for the next few weeks. There's still lots of time to install such scripts.

If nothing else, put together a script that will log the IPs of machines that connect for further instructions and send a message to their responsible ISP asking them to have the users clean up their system.

I"ve already got a prototype set of scripts if anybody's intersted.

The nice thing about this (0)

Anonymous Coward | more than 10 years ago | (#6774632)

why not have the virus download a patch that installs a daemon that periodically installs all MS patches. anyone who is too dumb to deactivate it needs to have it installed. its a self -selecting fix the really cool thing about this is that unlike the so-called good virus that tried to patch exploitable computers this one is ethical. after all the patching web site is not actually trying to break into your computer. your computer is going to it and asking for a file which is not a hostile act. It does not chew up bandwidth either. and it should be 100% effective.

I wonder who owns these sites. if they are privately owned then someone, maybe a slashdot person, could actually implement this by talking to the site owner.

of course an even more humourous outcome would be to have the downloaded patch simply install Lindows :-). again perfectly legal and ethical.

since the virus will keep going back for the rest of the month its not too late to implement this.

Who does their reporting?? (0)

Anonymous Coward | more than 10 years ago | (#6774535)

The "Sobig" worm, which fizzled yesterday when the 'trojan horse'-type program did nothing more than direct users to an Internet porn site, has bombarded computers with almost 100 million junk messages since Tuesday.

Direct users to an internet porn site? What? Tell that to our IT department and our DDoS'd network.

Stupid, Offtopic, Newbie, Question (4, Interesting)

CGP314 (672613) | more than 10 years ago | (#6774538)

But willing to risk the flames for an answer that is not ten pages long.

What's the difference between a worm and a virus?

Re:Stupid, Offtopic, Newbie, Question (1)

NetJunkie (56134) | more than 10 years ago | (#6774551)

Worms self-propogate. A virus only propogates when run by a user.

Re:Stupid, Offtopic, Newbie, Question (2, Informative)

hankwang (413283) | more than 10 years ago | (#6774588)

>Worms self-propogate. A virus only propogates when run by a user.

No, if the thing attaches to legitimate Word documents and executables and whatever, it is a virus. If it is a standalone program, it is a worm. See here. [wikipedia.org] .

Re:Stupid, Offtopic, Newbie, Question (1)

FyreFiend (81607) | more than 10 years ago | (#6774559)

I could be wrong here but I always saw a virus as needing a human to help spread; sharing floppies, opening infected files, etc while a worm is self propagating. Once it starts it will try and spead itself without human stupidity (other then running unpatched systems).

Re:Stupid, Offtopic, Newbie, Question (3, Funny)

MyHair (589485) | more than 10 years ago | (#6774595)

What's the difference between a worm and a virus?

You see, a virus is what we doctors call
very very small. So small it could not possibly have made off with a
whole leg.

Worm vs. Virus (5, Informative)

jaaron (551839) | more than 10 years ago | (#6774607)

A worm is usually a standalone program (runs on it's own) and is self-propagating. A virus is a much more general term. In fact, some might argue that a worm is a type of a virus. But in general, a virus infects other software (so it isn't necessarily standalone) and often requires some other application (or human) to transfer it from one location to another.

There's a good answer on Broadband Report Forum [dslreports.com] , or you could try Google [google.com] .

CNET Mistake (2, Informative)

brokencomputer (695672) | more than 10 years ago | (#6774555)

http://wwwi.reuters.com/images/sobig_virus_graphic .gif is a really stupid diagram that isnt correct and is ambiguos probably causing many misconceptions in cnet readers and reuters readers.

To Clarify... (5, Informative)

NetJunkie (56134) | more than 10 years ago | (#6774567)

It's been a busy week. I see a lot of people confusing the different worms/viruses running around.

SoBig.F - A virus. Exploits no vulnerability in the OS. It only executes when a user runs the attachment. It sends out emails to everyone in your address book and makes the source another address from your book. It runs its own mail server, so filter port 25 outbound.

Blaster - A worm. This exploits the Windows RPC bug and self propogates to any unpatched system.

Welchia/Nachi - A worm. Also exploits the Windows RPC bug and attempts to clean machines infected by Blaster. Unfortunately, it tries to find other systems by doing random pings which can saturate a network.

Idiots. (5, Insightful)

cperciva (102828) | more than 10 years ago | (#6774568)

Come on, if you're going to write a worm, do it right.

Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who infected you, and trade connections randomly).

Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.

Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).

In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.

Re:Idiots. (3, Funny)

MyHair (589485) | more than 10 years ago | (#6774612)

Edit that slightly and send it to Microsoft:
-----
Come on, if you're going to write an OS, do it right.

Don't use 20 predetermined machines from which to fetch updates; generate an unstructured network while you're spreading (remember who sued you, and trade alliances randomly).

Don't fetch and install any updates provided to you; use RSA signatures to verify that they are legitimate.

Don't use canned, easy to filter, subject lines in your email messages; borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).

In short: If you're going to release some software which you want to see on millions of machines around the world, try not to embarrass yourself.

Re:Idiots. (1)

gl4ss (559668) | more than 10 years ago | (#6774652)

maybe they'll get it 'right' next time, maybe they didn't count on the list of those 20 computers to be fetched before friday (that were encrypted.. and chosen around the globe, probably also didn't count on the 'virus' to be so succesful.. after all it was just an attachment type of scam rather than something that exploited some unknown bug or anything, so it relied only on user stupidity, which is greater than you can possible guess beforehand it seems). since it had a deactivation timer it would be highly possible that they got another version up their sleeve(and hey, it's a real simple prog anyways and quite impossible to fight against as long as the email client of choice stays, so that it is easy to execute attachments by the user, the same and the users stay as stupid).

-

Re:Idiots. (0)

Anonymous Coward | more than 10 years ago | (#6774654)

And when you are going to attack Windows Update, use the correct URL.

Re:Idiots. (1)

oni (41625) | more than 10 years ago | (#6774676)

borrow subject lines from your host's mail spool (optionally, do so with only a small probability -- let evolution determine which subject lines are the most effective).

Can you elaborate on that? Are you talking about some master list of effective subjects?

No Problems Here (4, Funny)

Anonymous Coward | more than 10 years ago | (#6774571)

I don't have any friends so I don't really get any e-mail.

Sobig was created to defeat Bayesian Filters. (4, Interesting)

mumblestheclown (569987) | more than 10 years ago | (#6774572)

I am so glad this topic came up, because it gives me a chance to propose my pet theory.

As i understand it, SoBig was written by some spammers (this according to something I read a few days ago). If this is true, it only reinforces my belief that the Sobig worm was written for the purpose of weakening Bayesian filtering schemes for spam email, thus making it easier for spammers to send spam mail in the future.

How?

Simple. you are getting sobig emails apparently (but probably not really) from people who you may ordinaly receive ham from. If you (as many of you will) flag the SoBig messages as spam, your bayesian filter will remember that spam comes from trustedfriend@ham.com and lo and behond false positives increase.

Think this is ridiculous? I began out of habit flagging my sobig emails as spam before it dawned on my what i was doing. Yes, my filtes caught the sobig, but i did some tests soon to find exactly the behaviour that i described.

This further underscores the FACT that spam is a SOCIAL, not a technological problem. No bullshit, just good legislation.

I am a small businessperson with a legitimate web based business on the web now for 8 years. Three acounts now receive 4500 spam per day, or roughly the equivalent of one 56k modem whose full time job is to receive spam. While we have followed best practices with email addresses, over 8 years and thouands of customers, these things get around.

Re:Sobig was created to defeat Bayesian Filters. (2, Insightful)

Saint Aardvark (159009) | more than 10 years ago | (#6774621)

I'm pretty sure that Bayesian filters -- at least like the one in SpamAssassin -- treat the From: address as merely one token among many, many others that can act as an indicator of {spam|ham}miness. And anyhow, I think attempting to discredit bayesian filters as a way of advancing a spammer's agenda is...um, a little indirect.

If a spammer was going to use a virus like this to do spammy things that would benefit him, I think he would use it to turn Joe User's computer into an open relay that would get around the many, many blacklists out there.

Re:Sobig was created to defeat Bayesian Filters. (3, Informative)

JohnGrahamCumming (684871) | more than 10 years ago | (#6774624)

Not sure this makes sense to me. I am running POPFile and it has been capturing SOBIG from the first reclassification I did and I haven't needed to do any more after that (POPFile seems to think the phrase "program cannot run DOS mode" and PIF attachments are spammy). So even if I did poison the corpus with that person's email address it has had little effect.

Secondly, because SOBIG includes its own SMTP server the header information in each of the mails will not be the same as the genuine header information from your regular correspondents. So POPFile (and other filters) would still see them as different.

John.

My anti-virus kicks in before SpamAssassin. (2, Interesting)

Population (687281) | more than 10 years ago | (#6774638)

At work, the mail is scanned for viruses first, then it is handed off for classification as ham or spam.

Anyone who bothers to send a virus through a spam filter deserves whatever he gets.

effective virus (5, Interesting)

dd (15470) | more than 10 years ago | (#6774583)

They may eventually catch the morons(s) - it isn't clear from this article, since their _really_ isn't much info, except the interesting stolen creditcard item.

But one of the lessons to be learned by people with all colours of hats from the sobig.* family is that the interface design of the virus is very effective.

It is subtle, in that the subject lines of the emails are rather muted. It has no other message than to tell people that the info is in the file, and it may appear to come from someone you know (and might trust). In short, it isn't very 'spam-like'. and of course it has a very effective mail engine.

I work in a university setting, and I can tell you that having a PHd will not save you from accidentally opening this virus. Email programs should make it _hard_ to open any file that is executable. How many times does it have to be said? Thanks to the internet gods that my users are on linux, and that the secretariat is staffed by savy people.

I watched this puppy rise from category 'low' to 'high' in a space of 6 hours on nai.com on tuesday. I am more than a bit surprised that it
started at level 'low'; anybody else remember the eariler incarnation when the email appeared to come from 'support@microsoft.com'?

Re:effective virus (1)

IamTheRealMike (537420) | more than 10 years ago | (#6774615)

That's what I don't get. How many people ever put their message in an attachment and say "please see the attachment for details".

How many people really send mails with subject lines like "wicked screensaver".

In other words, how can smart people be fooled by such crude social engineering?

Re:effective virus (1)

dd (15470) | more than 10 years ago | (#6774683)

> That's what I don't get. How many people ever put their message in an attachment and say "please see the attachment for details".

Hey, I've seen some pretty bad, lazy email that would fit your description :-}

> How many people really send mails with subject lines like "wicked screensaver".

Good point, but then again, many of the other subject lines were less 'eloquent'.. Imagine what kind of subject lines you would use in their place. Don't forget, to be effective you have to be short, to the point, and probably confuse/convince someone who is NOT a native english speaker that this email should at least be previewed..

> In other words, how can smart people be fooled by such crude social engineering?

Easy, because the message 'appeared' to come from someone they know (and possibly trust). That is the catcher, that is the root of the problem here, at least from what I have observed. Really, in some years of watching this sort of thing happen, I really have to say that this virus was effective.

Re: effective virus (1)

Black Parrot (19622) | more than 10 years ago | (#6774636)


> Email programs should make it _hard_ to open any file that is executable.

The problem is that Microsoft saw fit to implement an EDI [wikipedia.org] system without any of the safeguards required for EDI.

That's why I ultimately blame Microsoft for these things. You simply can't train this kind of problem out of a broad userbase, so you have to account for the human element in your software design.

Who cares about the virus.... (2, Funny)

Dark Lord Seth (584963) | more than 10 years ago | (#6774606)

Which porn site was affected? I need to find out for er... damage control, yeah!

At least one positive thing.... (1)

rakaz (79963) | more than 10 years ago | (#6774610)

Compared to all the 'Thank you!', 'Wicked screensaver' and 'My details' messages I hardly notice the SPAM I get. Since I get a new virus e-mail about every 2 minutes at 100 kb a piece, I only how I won't go over the monthly 5 Gigabyte transfer limit of my internet connection :-/

What I don't understand is all the 'Disallowed attachment', 'Mail delivery failed' and 'Failure notice' mails I get. Almost every virus spoofs the sender. Why would anti-virus software even bother to try to send a message back?

Question (5, Insightful)

duck 'o death (597155) | more than 10 years ago | (#6774626)

OK, I have a quick question. These worms and virii are hitting a ton of Microsoft vulnerabilities, and that's why they *exist*, but to me it seems like they only succeed because office workers, mom (my mom's comp was hit by Blaster), guy down the street, etc. *don't harden their computers*, or because they can't seem to stop clicking on attachments.

So if this gets worse and worse, and hypothetically more people start running linux or mac or whatever as their desktop OS (which I think could happen in dribs and drabs now -- a shitload of folks I know HATE microsoft right now), what's to stop them from ignoring system security all over again? You have the whole Lindows run-as-root thing still, for example. I know there aren't nearly as many worms and shit written to exploit non-MS OS's, but that doesn't mean folks won't start, and I'd just like to know what would/could happen, and what exploits would then be available, if they do.

I'm tired, and cranky, and I love Linux. But I just don't know if I'd trust my mom to run a secure Mandrake box if she can't even do Windows fucking Update.

Re:Question (0)

Anonymous Coward | more than 10 years ago | (#6774665)

Virii is not a word!!!!! VIRUSES is the correct term you fuckwit.

y'know what I'm wondering... (1, Insightful)

fuckfuck101 (699067) | more than 10 years ago | (#6774677)

Is why any virus writers ever get caught.

Unless they're messing with the virus and accidently release it (either completely accidentally or just prematurely, whatever) then they simply have to go down to their local library and/or cyber cafe wearing a wig and makeup, stick the floppy in, click, then leave, what's the problem?

Interesting! (0, Interesting)

Cock Cockwood (569693) | more than 10 years ago | (#6774685)

Could that expiration date (Sept. 10) have been chosen out of sheer respect for the incident that happened on September 11, 2001?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...