×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

So, Who Wrote Sobig?

Hemos posted more than 9 years ago | from the i'm-SO-BIG dept.

Worms 187

An anonymous reader writes "F-Secure's Virus Blog posted links to a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors. The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. This file has now been posted publicly but on Geocities and and Tripod. So you can have a look by yourself and make your own conclusions."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

187 comments

Mirror! (5, Informative)

Emrikol (21551) | more than 9 years ago | (#10686217)

I'm a whore! Mirror: HERE! [decarbonated.org]

Re:Mirror! (4, Funny)

Meostro (788797) | more than 9 years ago | (#10686318)


i'm a whore with a website: NSFW [wikipedia.org] mirror here [wetsexygirl.com] ...

yes, this is real. NSFW keeps bandwidth down.

Copyright (-1, Troll)

igny (716218) | more than 9 years ago | (#10686780)

Copyright 2003-2004 Authors.

Re:Copyright (2, Informative)

r2q2 (50527) | more than 9 years ago | (#10686832)

In the document and website they allow anyone to copy and distribute it. RTFA before posting

Re:Copyright (0)

Anonymous Coward | more than 9 years ago | (#10686893)

Because this site may be shutdown, you are free to copy this document to other web sites. Please do not modify the contents of this document.

The Sobig Author Is... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10686220)

Andrew Tanenbaum. He's also known for a little discussion [oreilly.com] with someone named Linus Torvalds.

Disturbing (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10686223)

Should it disturb me that the virus icon now seems to resemble a bent-up dildo?

It's not a dildo (probably) or new (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10686280)

It's a worm, well, actually, it appears to be a caterpillar, but it's supposed to be a worm. It's been around for a long time.

"Who Wrote Sobig" by Anonymous (5, Funny)

Anonymous Coward | more than 9 years ago | (#10686226)

Not me.

Re:"Who Wrote Sobig" by Anonymous (4, Funny)

TykeClone (668449) | more than 9 years ago | (#10686356)

Anyone who has kids knows that the first person that says "Not me" is guilty :)

Re:"Who Wrote Sobig" by Anonymous (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10686526)

This is a ofisal fedderall massege.
All you lies are belong to US.

Great Geocities Link (1, Funny)

Anonymous Coward | more than 9 years ago | (#10686232)

What do they have 10MB of transfer a day?

not gmail invites (0, Informative)

Anonymous Coward | more than 9 years ago | (#10686325)

The above links are not gmail invites. Look closely at the real URLs.

yes they are gmail invites (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10686366)

I just clicked one of the URLs and signed up for a gmail account.. are you sure?

NO! (0)

Anonymous Coward | more than 9 years ago | (#10686500)

They are "Hey everybody I'm looking at gay porno" browser hijacks.

Stop trolling (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10686533)

Explain to me how I signed up for a gmail account with one of those links then.

TO ALL MODERATORS: (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10687030)

TO ALL MODERATORS:

The above post is a TROLL, not an OFF-TOPIC comment.

motivation (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10686248)

The odd thing about this was that his motivations weren't fame or the desire to send spam - he was a Linux zealot hell-bent on destroying Windows. This kind of jihadist attitude is becoming far too common in the Linux community.

Re:motivation (3, Insightful)

nil5 (538942) | more than 9 years ago | (#10686307)

Why is it always acceptable--preferable--to refer to anyone with a different belief than ourselves as a ``zealot''? This word is being way overused lately. ``Cease!'' sayeth the style police.

Re:motivation (2, Insightful)

benhocking (724439) | more than 9 years ago | (#10686363)

Why is it always acceptable--preferable--to refer to anyone with a different belief than ourselves as a ``zealot''? This word is being way overused lately. ``Cease!'' sayeth the style police.

I think that releasing a virus to achieve your ends qualifies one as a zealot. In fact, I would guess that the poster of the parent (this post's grandparent) thread is most likely not a Windows fan, so the underlying belief probably is not different, just what is perceived as acceptable means.

Re:motivation (1)

NeoSkandranon (515696) | more than 9 years ago | (#10686491)

Because trying to destroy the opposition to your favorite operating system fairly well qualifies one as a zelaot.

It has nothing to do with the differeing belief and everythign to do with his views of people who hold a differing belief

Re:motivation (0)

Anonymous Coward | more than 9 years ago | (#10686493)

Ignoring the historical definition, a zealot is simply someone who is fanatically partisan. It is more than saying they have a different belief but it is believing in something so strongly that you are willing to violate the laws of society (and sometimes even the belief itself) to fight opposition of the believe.

Re:motivation (0)

Anonymous Coward | more than 9 years ago | (#10686540)

This post is plagiarized from this original post [slashdot.org] to which this poster actually replied in his last post [slashdot.org] . nil5 is a troll and please don't reward his plagiarizing troll ways.

Re:motivation (0)

Anonymous Coward | more than 9 years ago | (#10686381)

It's the wrong idea. I think for anyone to try and "destroy" a competitor like that is crappy. If linux is to take out windows, why not do it on quality, rather than by trying to be so determined to destroy something...

if they are that dedicated to the open source initiative, shouldn't they spend that time improving linux rather than writing viruses?

It's frustrating, cause it's giving linux people the "zealot" and "computer terrorist" title, which isn't right...

Re:motivation (2, Funny)

Trigun (685027) | more than 9 years ago | (#10686429)

if they are that dedicated to the open source initiative, shouldn't they spend that time improving linux rather than writing viruses?

Or, at the very least, release the source code under the GPL?

Re:motivation (4, Informative)

Anonymous Coward | more than 9 years ago | (#10686393)

This is bs. The word linux did not appear once in the paper. Furthermore, all the other software written by him mentioned in the paper was windows software, mostly used for spamming.

Re:motivation (4, Informative)

Anonymous Coward | more than 9 years ago | (#10686403)

5.4 Motive to Write Sobig Senders of spam typically relay their email messages through open proxy servers in a continuing effort to obscure the true sending host. With the proliferation of blacklists and other anti-spam systems, spam senders are finding it more and more difficult to locate available open proxy servers. By opening multiple proxy services on millions of compromised systems, a spam sender could very quickly and anonymously relay messages without the fear of being identified. Sobig provides the following two benefits for spam senders: 1. Sobig opens multiple proxy servers on systems that are not blacklisted; 2. Sobig spreads very quickly, infecting and re-infecting millions of systems in under a week. These benefits provide spam senders with a very large base of open proxy servers. Even though most of the infected systems will be cleaned within a week, there will be some systems that will remain infected to continually provide open proxies for weeks or even months. We believe that Sobig was most likely written to support spam software. Any user or developer of spam mailing software, including Ruslan Ibragimov and Send-Safe, would be financially eager to leverage malware such as Sobig.

Doesn't say anything about linux as far as I can see....

Re:motivation (1, Insightful)

gl4ss (559668) | more than 9 years ago | (#10686474)

MOD PARENT DOWN!!!!!!! MISINFORMATION.

MODS: please, fucking read the article before you go on your modding spree.

linux was not mentioned ONCE in the article. the motivation guessed(and reasoned) was creation of open proxies so the guy could sell more of his spam sending software. so purely financial.

Re:motivation (2, Informative)

Daedala (819156) | more than 9 years ago | (#10686480)

Where did you get that idea? I admit didn't have time to read the entire paper thoroughly -- I just skimmed it -- but I don't see any anti-Windows sentiment discussed. They're pretty clear that they think the motive for SoBig was spam:
5.4 Motive to Writing SoBig
......
We believe that Sobig was most likely written to support spam software. Any user or developer of spam mailing software, including Ruslan Ibragimov and Send-Safe, would be financially eager to leverage malware such as Sobig.
Writing viruses for spam propagation is big business. [oreillynet.com] \

Re:motivation (0)

Anonymous Coward | more than 9 years ago | (#10686496)

This kind of jihadist attitude is becoming far too common in the Linux community.

Is it becoming more common, as in a higher ratio? Or is it that the Linux community is growing, and while the ratio of zealots remains constant, there are more of them so more of a chance that one will pull a stunt like this?

I'm no big fan of either Windows or Linux, but I think this attitude that everybody in the Linux community must be a saint is rather defeatist. It certainly plays into the hands of Microsoft who want nothing more than see members of the community take up their call for witch-hunts within Linux. I'd say let go of these incidents and the resulting FUD from MS, and forge ahead with building better products and generating *positive* marketing.

Geocities? Tripod? (5, Funny)

Anonymous Coward | more than 9 years ago | (#10686255)

...now been posted publicly but on Geocities and and Tripod. So you can have a look...

Ummm, you realize that you're telling the entire /. community that they should look at Geocities and Tripod accounts, right? This should last, oh, about 5 seconds.

Kasperski (5, Informative)

mirko (198274) | more than 9 years ago | (#10686281)

A French magazine [acbm.com] named Kasperski, a former KGB agent and now an antivirus publisher.
They said he happened to develop such things and then ask the major AV editors to bid in order to get the virus specs first...
Not sure if it's that accurate but it will sure raise some tin-foil-heads interest...

Re:Kasperski (0)

Anonymous Coward | more than 9 years ago | (#10686689)

remember that Eugene Kasperski != Kris Kasperski

Re:Kasperski (4, Insightful)

gmuslera (3436) | more than 9 years ago | (#10686845)

The old myth that says that the antivirus makers are the ones that are developing virus? I use AVP/KAV [kaspersky.com] since a decade ago, first in DOS and now in Linux, and is one of the best (if not THE best) available antivirus on the market.

Even know someone that programmed a test virus long time ago, and sent to antivirus publishers to see how well it could be detected, and the response from the community of that time, specially the people from Kaspersky, was very against that kind of "tests", so is very improbable what you are telling there (and that includes too most of the other biggest players 10 years ago if the same is said about i.e. F-Prot or McAfee people)

At least without hard proof (not just speculation or just urban myths) i would give that notice the same weight as that Bill Gates is sending big bucks to any that continues a chain letter.

Re:Kasperski (1)

drinkypoo (153816) | more than 9 years ago | (#10686902)

If you'd ever used AVP on windows... well, scratch that. If you had lately used AVP on windows, you would not think that it was the best or even one of the best available antivirus programs around. When it came out it was the best NT scanner available but then it went right in the toilet, something about the way it scans impacts system performance more than Symantec AV 9 or Avast!, the only other two virus scanning applications I've compared it against to be honest. Still, one of those is freeware, so AVP can take a hike.

You're right, though, that some actual proof is necessary to make something like this stick.

incase you cant get the article.... (4, Informative)

VC (89143) | more than 9 years ago | (#10686282)

Ruslan Ibragimov of Russia

Re:incase you cant get the article.... (5, Funny)

Anonymous Coward | more than 9 years ago | (#10686568)

Thanks! We didn't need to review any of the "evidence" and discuss their merits and authenticity. We just needed the bastard's name so we can hunt him down and stone him. Let's go folks! It's time to rid the world of this heathen!

His phone and address (0, Troll)

Anonymous Coward | more than 9 years ago | (#10687147)

Who-is info of his domain:
SEND-SAFE.COM

Ibragimov Ruslan
12 Krasnokazarmennaya
111250
Moscow, Russia
+7.957235641
ssdomain@rambler.ru

Anybody willing to ask him whether he actually wrote that ? :-)

Re:incase you cant get the article.... (0)

Anonymous Coward | more than 9 years ago | (#10687583)

You ruined the ending!

article text (1)

100MHzperhour (587160) | more than 9 years ago | (#10686290)

Who Wrote Sobig?

As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:
By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s); This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well; Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation. Because this site may be shutdown, you are free to copy this document to other web sites. Please do not modify the contents of this document.

Click on this link to download the document: WhoWroteSobig.pdf [tripod.com]
SIZE: 304386 bytes
MD5: 18de5fee31a553c4695f233a3da558c9
SHA1: e56b1ff66b38016de71cbf1376207f2453aa5c4c

Heh... (5, Funny)

Blue-Footed Boobie (799209) | more than 9 years ago | (#10686300)

Kinda funny how the BSD devil up on the /. bar is looking at the worm...maybe he fears retribution?

Re:Heh... (1)

JTinMSP (136923) | more than 9 years ago | (#10686344)

Perhaps with the security reputation of the *BSD family...it shall slay the Worm instead of fear. He is facing the worm head on with a pitchfork in his hand...

Name (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10686308)

If you can't be arsed reading it, the name is Ruslan Ibragimov.

Who??

If bush is elected.... (0, Offtopic)

Kazrath (822492) | more than 9 years ago | (#10686314)

We can start a war on the Linux Jihad!!!! Seriously though.. The majority of people who write viruses are the same people who like to cause others missery in any way they can. This just allows the smarter more resourceful to actually effect a large mass of people.

Good American Programmers? (2, Interesting)

Wig (778245) | more than 9 years ago | (#10686319)

There never seems to be any good American programmers who write malicious code and viruses like this. Ah well, where's Kevin Mitnick? :-P

Re:Good American Programmers? (2, Interesting)

northcat (827059) | more than 9 years ago | (#10686543)

There are more computer users in the US than many other countries. So, are "hackers" in US sitting back because of fear?

Actually, this cannot be attributed to tougher law enforcement or any other similar reasons. The thing is that there are not that many big Viruses/Worms/Anything-else-you-want-to-call-them around. So the possibility of the virus-writer being from any random country is almost equal. (My English skills arent so good, so please forgive me if my sentences werent clear.)

Re:Good American Programmers? (0)

Anonymous Coward | more than 9 years ago | (#10686594)

They're all working in Redmond.

Re:Good American Programmers? (1)

WindBourne (631190) | more than 9 years ago | (#10686859)

more like working at the anti viral/worm/spam companies. They are also the creators of the same.

Re:Good American Programmers? (5, Informative)

SonicBurst (546373) | more than 9 years ago | (#10686598)

I don't know if you read much code, but most virus code is horrible. Quite a bit of it is straight from a point-and-click virus builder, and the stuff that is hand written tends not to work as intended. Of course, I am talking about a virus, so maybe it works just like the author wanted it to for all I know....

Re:Good American Programmers? (2, Funny)

Mercano (826132) | more than 9 years ago | (#10686749)

There never seems to be any good American programmers who write malicious code and viruses like this.

It all got outsourced to Asia.

Re:Good American Programmers? (0)

Anonymous Coward | more than 9 years ago | (#10686821)

Our laws are different and quite a bit more harsh. In addition, All packets withing the USA communication network is 100% monitored. No other country has such total monitoring. Think of how fast we catch ppl that inject virus/worms. And the fact that we can point to who, what, and where.

Re:Good American Programmers? (1)

r2q2 (50527) | more than 9 years ago | (#10686876)

Most of the time those programmers are doing constructive things. Its only the underpaied programmers that are disgruntled or program viruses for profit thats who would write the good malicious code.

Re:Good American Programmers? (0)

Anonymous Coward | more than 9 years ago | (#10686952)

Its only the underpaied programmers that are disgruntled or program viruses for profit thats who would write the good malicious code.

False. Many writers are either bored, or simply do it because it is there. MS makes it simple to do.

Re:Good American Programmers? (1)

AceCaseOR (594637) | more than 9 years ago | (#10687662)

Ahh well, the explanation is simple.

In the US, we had the Hacker Crackdown [mit.edu] of the late 80's and early 90's where law enforcement started taking computer crime a little more seriously. Plus, after Kevin Mitnick was forbidden from accessing a computer for years that would probably be enough to discourage most U.S. hackers.

On the other hand, mosst of these worm-writers have been writing their viruses and malware in countries that have computer crime laws that are either weak, not enforced, or both. Thus, they can do whatever they want, because they won't get in trouble with their governments.

Now, if we could get the virus-writers in foreign countries extradited to the US based on damage done to systems here, we might see a decrease in the viruses and mal-ware out there.

Of course, switching to operating systems other then Windows helps too.

Re:Good American Programmers? (1)

dprust (316840) | more than 9 years ago | (#10687778)

I'd like to think American hackers have better things to do with their time than write viruses. After all, in a land of opportunity, why not write the next killer app instead?

Hmmn (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10686328)

`A viral Mr Big on us,' so I hear.

you Fail iT. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10686357)

culture of abuse goodbye...she had aa4eared...saying reciprocating bad are just way over Large - keep your raise or lower the Lube. This can lead

doesnt really give me... (1)

bizmark22 (823743) | more than 9 years ago | (#10686399)

the warm and fuzzies.. i clicked the link to the PDF off of the website and my damn Acrobat threw an ugly error and then froze my browser.. lol, hmmm, maybe the russian figured posting on /. was the only true way to get SOBIG back into circulation...

Am I the only one that has the heeby-jeebies about clicking on this stuff from a GEOCITIES or TRIPOD account??

Viruses for profit (5, Interesting)

Tx (96709) | more than 9 years ago | (#10686414)

Malware written for fun isn't any less damaging, I guess, but when apparently written specifically for a commercial purpose (sending spam in this case) it's certainly more annoying IMHO. At least if this case is anything to go by, there's likely to be more of a forensic trail left by the perpetrators due to the associated commercial activities. I hope this Ibragimov guy gets what's coming to him.

Re:Viruses for profit (5, Interesting)

Daedala (819156) | more than 9 years ago | (#10686701)

Malware for profit is worse.

The problem isn't that professionals are necessarily better than amateurs at a task -- we know this isn't true. But being a professional allows you to work full-time on something. Many people are motivated by financial rewards (and egoboo doesn't put bread on the table, either).

When a lot of money gets involved, organized crime gets involved, and they bring with them the infrastructure for serious misdeeds.

I want my script kiddiez back.

Re:Viruses for profit (1)

gad_zuki! (70830) | more than 9 years ago | (#10687495)

Okay so he gets some felony conviction. Will this make corporate america stop buying windows based systems and if they don't then run them without a firewall?

Will people wise up to the fact that allowing binaries in email is just dangerous?

Toss 1 million hackers in prison, a kid with a visual basic book and an hour to burn can take down most systems. That's the problem; we're all driving pintos and complaining about yellow lights being too short. Treating just the symptom gets old fast.

Oh well I gotta go to my deibold atm today. I hope its not bluescreened again. I hope my windows based voting machine works too tomorrow.

The text of sections 1 & 2 of the pdf (5, Informative)

Anonymous Coward | more than 9 years ago | (#10686418)

One site was down before the story went active. The other shouldn't last long. The document is 48 pages. 26 are a hex dump. Here are two pages, sections 1 & 2, the Introduction and Overview. Pardon the messy text; I imported from PDF an fixed it up as best I could quickly.

1 About This Document

August 18, 2003 was a day of infamy in the world of computer software malware. The Sobig virus, as it was affectionately named by its the anti-virus industry, infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide.

Within two days after Sobig was released, an estimated $50 million in damages were reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20 million users! After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing operations within even the most advanced technology companies, such as Lockheed Martin. Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program.
Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author. As the one year anniversary of the Anti-Virus Reward Program bounty for Sobig approaches, we felt this was an appropriate time to publicly release the current state of our Sobig forensic investigation. Appropriately, the authors of this document have chosen to release it anonymously for many reasons, some of which are:

By releasing the information publicly, we hope to increase tips to law enforcement concerning the Sobig authorship and spur efforts toward apprehension of the malware author(s);

This document shows how computer forensics can identify virus authors. The computer forensic methods demonstrated throughout this document have been utilized to successfully identify authors of other viruses as well;

Our focus is the objective analysis of Sobig. It is our contention, position, and belief that associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation.

The following public PGP key is provided for document validation, with the private key component safely locked away as to eliminate any future chance of a lost key pair. Any individual or entity that claims authorship should be able to validate their 'authorship' by signing a message with the corresponding PGP private key.

The included PGP public key prevents unscrupulous people from claiming ownership of this document or attempting to collect the Microsoft bounty;

As this document is present on multiple mirrored sites and has been turned over to law enforcement, anyone modifying the PGP public key will be unable to pass a fake key for potential bounty award;

This PGP public key will only be included is this document. Other documents, where malcontents attempt to place our ownership on other findings, should be considered forgeries unless they include a message
signed with the PGP private key.

In the event that any individual or entity may be able to identify the authors of this document, we urge you to respect our request for anonymity.

2 Overview

Sobig was a virus specifically designed to aid the anonymity of spammers. Sobig opened up services that enabled spammers to relay their emails anonymously. Although publicly the motivation and author of the Sobig virus is unknown, through the use of forensics and profiling, we have identified a very likely suspect and motive. Our research indicates that Ruslan Ibragimov of Moscow, Russia, and/or Ibragimov's development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited email (spam). Our investigation will demonstrate:

Advanced knowledge: Ibragimov has demonstrated an advanced knowledge of Sobig outbreaks.
o The releases of Send-Safe coincide with Sobig releases;
o New features in Send-Safe coincide with Sobig features;
o A specific spam group that use Send-Safe was observed relaying through Sobig-infected systems as much as two weeks before the official outbreak.
_ This same group has been observed using specific versions of Send-Safe prior to public release (using pre-released software);
_ The time that the group was observed using Sobig (prior to public announcement) corresponds with the Internet Storm Center recording an increase in port scans for Sobig-infected systems.

Necessary skills: Based on the attributes and overall functionality of Sobig, the developer would require the following skills:
o Knowledge of Microsoft Visual C++;
o Self-compressing executables;
o Email and spam;
o Proxies.

Ibragimov has demonstrated these skills and knowledge: Send-Safe is a spam tool designed to send email using proxies, written in Microsoft Visual C++, and self-compressed.

Source code access: Sobig and Send-Safe share a common source code base.
o Unique source code creates unique opcodes within the executable code.
_ Both the Sobig and Send-Safe software share large sections of common opcode sequences, implying the same source code;
_ The common source code is used to both generate and send email;
o The email headers are unique to Send-Safe;
o Sobig includes code for an email header that it does not use.
_ This unused code appears in the same order as the Send-Safe executable - and the code is used in Send-Safe;
o Ibragimov has not publicly released the source code to Send-Safe (or any of his other programs, to our knowledge).
_ Send-Safe predates Sobig by a few years, indicating Ibragimov had access to the original code base used to develop Sobig;
o Ibragimov has demonstrated a pattern of reusing source code.
_ Large blocks of opcodes found in Send-Safe appear in other programs created by Ibragimov.

Plausible motive: As Send-Safe provides a list of open proxies to subscribers, there is a clear financial motive for Ibragimov to have created the Sobig worm.
o As Sobig opens additional ports, this provides more open proxies for Send-Safe subscribers.
Based on these items that have been identified, we contend that Ruslan Ibragimov, or Ibragimov's development team, authored Sobig in order to support and extend the Send-Safe customer base.

Re:The text of sections 1 & 2 of the pdf (0)

Anonymous Coward | more than 9 years ago | (#10687404)

Advanced knowledge: Ibragimov has demonstrated an advanced knowledge of Sobig outbreaks.
o The releases of Send-Safe coincide with Sobig releases;
o New features in Send-Safe coincide with Sobig features;
o A specific spam group that use Send-Safe was observed relaying through Sobig-infected systems as much as two weeks before the official outbreak.
_ This same group has been observed using specific versions of Send-Safe prior to public release (using pre-released software);
_ The time that the group was observed using Sobig (prior to public announcement) corresponds with the Internet Storm Center recording an increase in port scans for Sobig-infected systems.


Ibragimov is so busted.

I hope the FBI is taking note. Not sure if they can get extradition, but they can certainly contain this creep now.

In Related Links ... (2, Funny)

Anonymous Coward | more than 9 years ago | (#10686426)

Best deals: Worms

Coralized mirror (2, Insightful)

Randar the Lava Liza (562063) | more than 9 years ago | (#10686428)

Why aren't all link submissions required to include a mirror? Ah well, here's the Coralized link [nyud.net]

Re:Coralized mirror (1)

Meostro (788797) | more than 9 years ago | (#10686571)


Maybe because some of us can't get to good ol' 8090 anyway?

I can get to exactly 4 external ports:
80/443 - http/s
20/21 - ftp (cmd/dat)

So all the coralized links in the world won't help me. I couldn't even get to an 8080 if there was one, and that's a fairly well-known alternate HTTP port [grc.com] .

Re:Coralized mirror (0)

Anonymous Coward | more than 9 years ago | (#10686691)

I really hate that grc guy, please dont give him more traffic than he deserves.

Re:Coralized mirror (1)

thedillybar (677116) | more than 9 years ago | (#10687767)

>Why aren't all link submissions required to include a mirror?

Ummm, because the Tripod link is still working just fine?

Circumstantial evidence. (3, Interesting)

hex1848 (182881) | more than 9 years ago | (#10686528)

I glanced through most of the points the authors make in this document and most of the evidence (if not all) is circumstantial. Although there are a lot of similarities that could lead you to think that he did it, I don't think comparing the skill sets needed write the program to his newsgroup/forum posts and similarities in headers warrants an inquisition.

Granted he should probably burn at the stake just for writing SPAM software...

Re:Circumstantial evidence. (1, Insightful)

avandesande (143899) | more than 9 years ago | (#10686970)

the only compelling evidence they mentioned was the identical blocks of code in the binaries, and they didnt really discuss go into detail about their findings.

Re:Circumstantial evidence. (5, Informative)

JASegler (2913) | more than 9 years ago | (#10687163)

If you actually read the PDF you would see that they compared the opcode sequences between sobig and various programs.

The important bit is that when sobig was compared to Atomic Mail Sender (AMS) they didn't find much in the way of opcode sequence matches. What was there was standard glue code that just has to be there.

When they compared sobig to Send-Safe they found big chunks of common code, strings, etc.

And they don't say that Ruslan Ibragimov is the author. They say he and/or his development team.
Assuming he has 4-5 developers working for him it could be one developer who swiped the Send-Safe code and used it to develop sobig. Although I would bet on Ruslan giving the nod on the development of sobig.

This type of analysis is how people find GPL violations. Unless you take alot of effort to completely rearrange the code it keeps the same signatures, embedded strings, etc.

The analysis appears to be sounds. LEA should use Ruslan as a starting point to track down the person(s) responsible for sobig.

But since we are talking about spam tool/virus/worm writers I think the Aliens quote is best..

I say we dust off and nuke the site from orbit. It's the only way to be sure.

-Jerry

Re:Circumstantial evidence. (1)

hkb (777908) | more than 9 years ago | (#10687179)

Perhaps you missed the sections about large sequences of opcodes in SoBig matching opcode sequences in Send-Safe. That's pretty damning evidence.

Re:Circumstantial evidence. (4, Insightful)

analog_line (465182) | more than 9 years ago | (#10687249)

Well, you obviously didn't glance through all of the points, as you neglect to mention the opcode simmilarities, timeline of significant releases of both pieces of software and the activites of groups known to use Send Safe, and SoBig.

Not to mention the exhaustive opcode comparison diagram at the end of the document.

Circumstantial evidence, it may be, but that doesn't mean it's not valid. And what is forensics aside from a circumstantial investigation? Getting as many facts as you are able to directly observe in order to come to a logical conclusion about a question you can't directly observe the solution to.

Who modded the parent +4 Interesting? (0)

Anonymous Coward | more than 9 years ago | (#10687434)

More like +1, Trivial Question.

**RTFA, BITCH!**

Can't convict. Doesn't mean OJ is not a killer... (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10687450)

Hopefully when you "glanced through" the article you also read that there is evidence that Sobig and Send-Safe (spam software that Ruslan sells) share source code. By comparing the opcodes of the two executables, they find many long sequences that match.

Also, don't forget to mention that the article reveals a version of Send Safe was exploiting infected Sobig machines before news of Sobig was ever announced.

So you see, its not just about the skill set needed, Ruslan's forum posts, or the header similarities. It's the combination of those things AND the matching code signatures, the demonstrated foreknowledge, and the profit motive. Ruslan makes money selling spam software and lo' and behold, there is evidence that his Send Safe program uses some common code and that Send Safe exploits infected Sobig machines and were doing so before anyone of us had heard of Sobig.

So you can call it circumstantial and that is fine. But don't leave out many of the key points made by the authors.

Avast, slashbots! (5, Interesting)

naitro (680425) | more than 9 years ago | (#10686536)

Let's all go visit [send-safe.com] the guy. Even if he didn't write Sobig, he's still developing software for spammers.

Re:Avast, slashbots! (1)

kevincal (605542) | more than 9 years ago | (#10686817)

click click click if he was smart he would get some nice referral $$ from all these click visits... not a good marketer is he..

Re:Avast, slashbots! (1)

mixmasterjake (745969) | more than 9 years ago | (#10687685)

The email subjects and message text in the screenshots are classic. Ah, how many of those have I filtered out?

With all apologizes the Barry Manilow (1)

Anita Coney (648748) | more than 9 years ago | (#10686577)

I wrote the virus which made the whole world cringe.
I wrote the virus which screwed up things
I wrote the virus that made system administrators cry
I wrote the virus, I wrote the virus

The reports seems biased (0)

killmister (686470) | more than 9 years ago | (#10686614)

The report seems biased. It has a lot of statements like "Mr. Ibragimov has demonstraded such skills" or "Ibragimov has been posting to newsgroups since at least 1998". So f...g what? Who can assure me that demonstration of IT skills means I am a virus vriter ? An for Crist sake - I post to newsgroups since 1996. Does that prove my relationship with wirus writers/writings ?

Re:The reports seems biased (4, Funny)

JudgeFurious (455868) | more than 9 years ago | (#10686988)

You have IT skills and have posted to newsgroups since 1996?

We'd like to arrange a meeting with you to discuss some "things"...

- Sincerly, The Dept. of Homeland Security.

Of course its biased. They are making a case (1)

Pizaz (594643) | more than 9 years ago | (#10687763)

Of course it is biased. They are making their case that Ruslan is the author. They present evidence to that affect.

Seems to me that your problem is you read the Slashdot topic and description and then fault the original article for not living up to your expectation. The article IS biased because it makes a case against Ruslan. The lame ass slashdot topic & description don't quite relay that fact.

As for evidence in the article which you neglected to cite, they show that

1) his other software Send Safe share common opcodes in the executable and is highly indicative of common source code.

2) he demonstraded foreknowledge of the virus existance because Send Safe was exploiting infected machines before Sobig virus was ever announced.

3) he has a motive -> PROFIT!!

Interesting approaches (1)

a_hofmann (253827) | more than 9 years ago | (#10686793)

The anonymous authors have done really interesting technical forensics.

The executable comparison charts between Send-Safe and Sobig-F in the appendix show a large correlation in both binaries. A different code base seems to be a pretty unrealistic thing there.

If the given facts hold true, I bet that Ruslan Ibragimov will not sleep very well in the next time.

Do we ever really hear about good viruses? (2, Insightful)

NotQuiteReal (608241) | more than 9 years ago | (#10687115)

Script kiddies using virus writing kits and punks putting graffiti on stop signs is at about the same level.

What do you think of the notion that there are at least several really successful viruses that we never hear about, because they are more useful to the writer if they are not obviously annoying?

Are all these zombie machines we hear about for rent to spammers infected with viruses that would be caught be common virus scanners, or are they truely different?

I'm waiting (5, Funny)

hchaos (683337) | more than 9 years ago | (#10687251)

I'm waiting for the study on who wrote the technical study on who wrote the infamous Sobig worm.

Reasons for going public now... (3, Insightful)

Shambhu (198415) | more than 9 years ago | (#10687258)

Leaving aside the validity of their arguments for the time being (though I found them persuasive), I was wondering why exactly they felt the need to release this now. I think there are a few clues in the document:

"Sobig was so virulent that on November 5, 2003 Microsoft, in coordination with the FBI, Secret Service, and Interpol, setup the Anti-Virus Reward Program. Backed by $5 million from Microsoft, the program offered a $250,000 bounty for information leading to the arrest and conviction of the Sobig author."


And they add in a footnote to that sentence:

"Ironically, our investigation into the identification of the likely Sobig author(s) and corresponding findings had already been concluded and passed on to law enforcement over two months prior to the Microsoft bounty offer. The bounty was not our incentive."


So they say they had submitted their research prior to Nov. 5, '03. Why go public now? Though they don't say it, I can't help but think that it was frustration. Their own explanations for why they are going public seem thin to me.

fairly convincing (3, Interesting)

mixmasterjake (745969) | more than 9 years ago | (#10687803)

The argument concering that he "had the skills necessary" to create the virus aren't really that convincing to me.

The comparible code-base (unusual string concatanations that appear in both the virus and his commercial software) I suppose I *could* also overlook that because I know that a lot of developers copy code snippets from support pages and such. Especially for such generic functions as sending email.

But, then throw in the fact that send-safe and the sobog virus have very consistent release schedules. That is a little suspicious.

Not only that, but, if you remember when SoBig first came out - it was quite a long time after before people started to realize that it was creating spam proxies. send-safe was using those proxies even before the massive outbreak. Now that is kinda weird.

So, when you add up all of those things, It seems convincing to me. Is it enough to raid his office computers?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...