Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Russian Denies Writing SoBig Worm

timothy posted more than 9 years ago | from the nyet-nyet-nyet dept.

Worms 67

IphtashuPhitz writes "The Russian spamware programmer anonymously accused eariler this week of writing the Sobig worm has responded to the accusations. Ruslan Ibragimov of Send-Safe doesn't deny that his program uses proxies to hide spammer's identities. But he totally refutes the report's technical analysis in an online interview over at OReilly Network."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


1st Post!!! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10712679)

First Post!

Draw and quarter him anyway! (-1, Flamebait)

d_jedi (773213) | more than 9 years ago | (#10712713)

Even if he didn't write Sobig, he's a spammer, and a scumbag.. and that's justification enough to hit him over the head with a big (think Acme-sized) mallot) in my book.

Re:Draw and quarter him anyway! (0, Troll)

d_jedi (773213) | more than 9 years ago | (#10715332)

Zig heil! The censors (err.. "moderators") are out today!

Explain how this post is flamebait? C'mon.. I dare ya.

Obvious (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10712750)

In mother russia, worm writes people.

I don't buy it (4, Interesting)

Commander Trollco (791924) | more than 9 years ago | (#10712772)

The bit about headers is believable. But the opcode similarities are harder to defend- anyone know more about this and care to comment? He clearly has a motive, and should be lynched regardless of whether he actually wrote sobig.

Re:I don't buy it (3, Funny)

Anonymous Coward | more than 9 years ago | (#10713258)

"He clearly has a motive, and should be lynched regardless of whether he actually wrote sobig."

Man, the Bush ideology spreads so fast?

Re:I don't buy it (0)

Anonymous Coward | more than 9 years ago | (#10717635)

STFU, the election is over already.

Re:I don't buy it (1)

oberondarksoul (723118) | more than 9 years ago | (#10714050)

When merely having a motive justifies punishment, I hang my head and wonder just where the world's headed...

Y.F.I. (0)

Anonymous Coward | more than 9 years ago | (#10715976)

Your reading comprehension fails it big. Why don't you take a look at that sentence again before giving an ignorant response. People writing things like that make me hang my head and wonder where the world is headed.

Karma be damned... (1)

oberondarksoul (723118) | more than 9 years ago | (#10718435)

"He clearly has a motive, and should be lynched regardless of whether he actually wrote sobig.

What have I failed to comprehend? Suggesting lynching someone for having a motive, whether they actually did the deed or not, scares me.

Re:Karma be damned... (0)

Anonymous Coward | more than 9 years ago | (#10719224)

Get a clue... the guy is a known spam tool developer. RTFA

Re:I don't buy it (2, Informative)

Anonymous Coward | more than 9 years ago | (#10718941)

There are legitimate ways to compare executables (as opposed to the method used by the authors of "Who Wrote SoBig?").

0) All of these ideas involve disassembly. http://www.datarescue.com/idabase [datarescue.com]IDA Pro is the best dsassembler on the market; all ideas below are implemented as extensions to it. Nothing even comes close to its sheer strength, except perhaps the underdeveloped, alpha knockoff http://lida.sourceforge.net/ [sourceforge.net]Lida.

1) http://www.datarescue.com/idabase/flirt.htm [datarescue.com]FLIRT signatures work surprisingly well for the detection of statically-linked libraries (assuming the library itself hasn't been recompiled). It is basically binary-based but there are important measures for dealing with code that can/will change between different binaries.

A plugin called http://www.sport-und-event.de/backtrace.de/plugins /idb_2_pat.zip [sport-und-event.de]IDB2PAT for IDA can take an executable and produce FLIRT signatures for all functions in it, which can be applied against any other executable for comparison. I find this very handy for malware versioning analysis.

2) http://www.razorteam.com/publish/papers/comparing- binaries.html [razorteam.com]Instruction Semantic-Based Binary Comparison The paper calls itself "Comparing binaries with graph isomorphisms" but this is a misnomer because there is nothing graph-based about the comparison; only the visualization has any bearing on graph theory. This technique attempts to match the assembly instructions almost exactly (not necessarily a byte-for-byte direct comparison). No public implementation is available for this method.

The problem with the two methods above and the reason that byte-for-byte comparison won't work in general is that compilers regularly re-arrange code or change register allocation, especially in the case an optimization is applied differently between builds. Two successive builds might look completely different on the binary level. Microsoft's internal compilers are especially notorious for this.

Enter 3) http://www.sabre-security.com/products/bindiff.htm l [sabre-security.com]BinDiff by Halvar Flake. BinDiff is the most promising idea of the three (though designed for a different purpose than 1)). By using structural and graph-theoretic properties of executables (e.g. the call-tree) and the functions within them, BinDiff is able to compare executables without looking at the instructions themselves (except for properties that can be deduced in a CPU-independent fashion by IDA). That means that BinDiff can potentially diff binaries for different platforms, meaning the binaries could be using a different executable file format and a different assembly language. Obviously, the two binaries described would be remarkably different.

2) & 3) conception was motivated by the idea of diffing security patches (which they do with various degrees of effeciency). 1) is arguably at the core of IDA's power.

P.S. the "Who Wrote SoBig?" authors are completely full of shit. From the paper:

"AMS [a *completely unrelated* email client] and Sobig contain common high-level functionality, as both programs generate and send email. Although there are many ways to create this functionality in source code, it is extremely unlikely that two people working independently would generate similar opcode sequences for this type of functionality. From the results of our comparisons, the first 1K of memory indicated that they are very similar types of executables."

No shit, that's because the first 1k of the executable is usually the PE header. "Very similar types of executables"? What does that mean, anyway? The whole report is anonymous, unfounded slander.

After all this.. (5, Funny)

jjeffrey (558890) | more than 9 years ago | (#10712773)

..I bet he dosen't feel SoBig now.

Re:After all this.. (4, Funny)

iamlucky13 (795185) | more than 9 years ago | (#10713001)

That's alright. He can sell himself some viagara.

As long as we're on the topic of spam and such, I think slashdot has slashdotted itself. The "bush wins" thread is average at least a post every 3 seconds, who knows how many hits, and the server is crawling

Re:After all this.. (2, Interesting)

jjeffrey (558890) | more than 9 years ago | (#10713100)

The comment handling in SlashCode has always been a lot heavier to handle than the news pages. I think there is probbaly a lot more processing involved. I wonder how well optimised the SQL queires are and what the backend technology is - is it still MySQL? - UPADTEs and INSERTs are often going to be slower than SELECTs, but it may be worse if they are using MySQL in replicated mode with one master server to send all the updates too and a few slaves to do selects from. Though I guess that's unlikley with the load they get. Do they use MySQL Cluster?

Re:After all this.. (1)

fbjon (692006) | more than 9 years ago | (#10713450)

..And speaking of that, has anyone else noticed the ugly worm crawling towards the US flag on the main page? Ominous sign?

Remember the rules (4, Insightful)

Underholdning (758194) | more than 9 years ago | (#10712787)

Rule #1:
Spammers lie!

Re:Remember the rules (0)

Anonymous Coward | more than 9 years ago | (#10713922)

Repeat as Needed

Re:Remember the rules (3, Funny)

Anonymous Coward | more than 9 years ago | (#10713923)

Rule #2: If a spammer seems to be telling the truth, see rule #1.

Re:Remember the rules (1)

eibon (825176) | more than 9 years ago | (#10716336)

Rule #1: Spammers lie!
Not true. My lady is now pleased, my mother's medication needs are taken care of and people think I have three legs.

What a stand-up guy... (5, Funny)

sczimme (603413) | more than 9 years ago | (#10712822)

The report noted, for example, a strong similarity in the email headers created by Send-Safe and SoBig. But Ibragimov said Send-Safe chose the particular order of headers merely to mimic Outlook Express and to better evade spam filters.

Somehow I think Ibragimov's righteous indignation over the accusation is a teensy bit misplaced...

WTF? (4, Insightful)

Otter (3800) | more than 9 years ago | (#10712836)

Not that I'm shedding any tears for this guy but does "Anonymous person accuses other person by name on the basis of sketchy circumstantial evidence!" really merit this degree of publicity?

Re:WTF? (2, Insightful)

gl4ss (559668) | more than 9 years ago | (#10713195)


I found the biggest piece of evidence be the opcode similarities. which he doesn't comment at all, conviently.

but would he ADMIT IT? with 250 000$ reward on his head? of course not. but I'd rather have had him refute it totally, by reasoning and not just claiming that it's bullshit(when he even admits himself that his full of bullshit and into selling software for harassing people who try to _not_ get harassed).

Re:WTF? (2)

hkb (777908) | more than 9 years ago | (#10713501)

Not that I'm shedding any tears for this guy but does "Anonymous person accuses other person by name on the basis of sketchy circumstantial evidence!" really merit this degree of publicity?

When said anonymous person's report lists some pretty damning evidence, such as header and code comparisons and analysis, ermm yes.

Re:WTF? (-1)

Anonymous Coward | more than 9 years ago | (#10713785)

No it doesn't, because this guy is innocent. It was me who wrote the virus; I named it after my cock.

Proxie Shortage (4, Interesting)

Rob Carr (780861) | more than 9 years ago | (#10712866)

From the article:
"Trojans killed my business," he said, noting that many of his customers have recently migrated to "cracked" (pirated) versions of spamware programs such as Dark Mailer, for which they purchase lists of Trojaned proxies from hackers. .... Comments on Send-Safe's discussion forum appear to confirm that the company has had trouble providing users with sufficient proxies for sending spam.
There's irony in this guy's complaint, and (assuming he didn't write SoBig) at least a little justice. "My heart bleeds for the Snicker-Snack Company" - Linus (the character from "Peanuts," not the software guy)

Well, well, well, (2, Interesting)

cavac (640390) | more than 9 years ago | (#10712960)

so he doesn't write viruses, just unwanted bulk mail. Makes me much more comfortable. not.

Re:Well, well, well, (0)

mitchus (797970) | more than 9 years ago | (#10713908)

Ah, but it should. Whereas virii are malicious, unwanted bulk mail (while unwanted) still constitutes only communication, arguably protected by free speech.

Re:Well, well, well, (1)

waynelorentz (662271) | more than 9 years ago | (#10716489)

Commercial speech != free speech.

Re:Well, well, well, (1)

mitchus (797970) | more than 9 years ago | (#10716725)

Where do you read commercial? I said u-n-w-a-n-t-e-d. The fact is that spammers use it to commercial ends. The bulk mail tool in itself can also be used to communicate important information without commercial purpose. Suppose alternate means are cut off, news are censored and so on. Then you'll be glad this wacky russian has a version handy to bypass all obfuscation.

For sure he denies. (4, Informative)

a_hofmann (253827) | more than 9 years ago | (#10712973)

If you read the original report [tripod.com] you can see hard facts against Ruslan Ibragimov.

The binary comparison in the report shows evidence for a correlation between Send-Safe and Sobig-F which could be proved if Ibragimov would be forced to open the Send-Safe source.

Hmm... (5, Funny)

northcat (827059) | more than 9 years ago | (#10713014)

Maybe he wrote the "Who wrote the SoBig?" report himself to popularize his "Send-Safe" software... You never know...

TOTALLY REFUTES??? !!! (2, Insightful)

Ancient_Hacker (751168) | more than 9 years ago | (#10713015)

I'd reserve the phrase "totally refutes" for occasions where.... this actually happens. What I saw of the "refutation" was a few bits of unconvincing excuses and loose logic. The similarity in headers and the number and length of exact code matches is compelling and proabably irrefutable evidence.


schodackwm (662337) | more than 9 years ago | (#10714265)

Ancient Hacker is absolutely Right re refutation; ++!.

refutes != rebutts.

If you don't know the difference, do what the story did: use "denies."

Surprise! (5, Funny)

Se7enLC (714730) | more than 9 years ago | (#10713026)

Wow, this is surprising! I was expecting "Russian accused of writing SoBig worm admits to it, despite the flagrant lack of evidence to actually convict him of anything."

Does it matter? (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10713038)

Who cares whether he wrote SoBig or not? Either way, he's a spammer, and worse, a software developer who actively enables, supports and promotes spam. He'd be a perfect test case if someone were to develop a SpammerAssassin utility :)

"Totally refutes"??? (3, Interesting)

Zocalo (252965) | more than 9 years ago | (#10713063)

Well let's see. Ibragimov makes a few claims such as "it's bullshit!", "it's a coincidence!" and gives a very brief outline of how SendSafe works, revealling nothing not in the report. He also claims he's not been spoken by any law enforcement agency regarding the matter, which is possibly true. Hardly a point by point rebuttal is it, and never mind the maxim "spammers lie" which means everything he says will be taken with a huge pinch of salt.

The only interesting comment I found is that his company is currently having difficulties due to trojans, something that the SendSafe forums seem to confirm. That seems quite probable, but it hardly helps his case - why, exactly, would trojans be causing his SendSafe business any problems? Unless, of course, it might be something to do with other trojans that he didn't write such as NetSky/Sasser preventing SoBig getting as many hosts as it used to? Given that there was a spat between the various trojan authors, complete with a possible Russian connection, just before Sven Jaschen was arrested that at least seems entirely plausible to me.

Re:"Totally refutes"??? (1)

js3 (319268) | more than 9 years ago | (#10718971)

well what if it's a coincidence or bullshit? If someone accused you and it was wouldn't you say it was coincidence or bullshit? o

Denied (3, Funny)

Anonymous Coward | more than 9 years ago | (#10713686)

"Only the true Messiah denies his divinity!"

Innocent until proven guilty (0)

gone.fishing (213219) | more than 9 years ago | (#10713757)

He is innocent until proven guilty, just like Scott Peterson and O.J. Simpson.

Re:Innocent until proven guilty (1, Insightful)

fireboy1919 (257783) | more than 9 years ago | (#10714832)

But murders are only people who killed someone. Spammers are like lawyers: they're not actually people. And the subspecies who writes stuff for them aren't even spammers.

Questions of "innocence" and "guilt" do not apply to these species; they don't have a concept for these things.

Hopefully, one day, we will find a way to teach such things to these strange, primitive beings so that they can live beside humans in our struggle against the species that dominates this planet and threatens to wipe us out: politicians.

Re:Innocent until proven guilty (1)

gone.fishing (213219) | more than 9 years ago | (#10716051)

I wish I could mod you up. Someone actually modded you as off topic and my parent post was modded overrated.

Sheesh, some people, no sense of understanding or humor. Apparently politicians mod on Slashdot. Who woulda thunk it?

no need to RTFM.. (1)

BitwiseX (300405) | more than 9 years ago | (#10713809)

His response: "It's bullshit." Well what is he gonna do?! Admit it and get $250,000 bail money? ;)

Ruslan Ibragimov? (0)

Anonymous Coward | more than 9 years ago | (#10714211)

`A viral Mr Big on us,' so I hear.

Kerry Concedes Election To Bush (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10714326)

'So it is over, and without a lot of extra fuss ..'

01. Do nothing after repeated warnings about attacks on major US sites using passenger jets. (except Ashcroft took to flying private).

02. Be so influenced by the Israeli lobby as to allow the Palestinian situation to escalate out of all control. The backlash against this being one of the prime motivators of the 9/11 and other terrorists.

03. Allow al-Qaeda/the freedom fighters formerly known as the Mujahideen to take root in Afghanistan. This group having been formed out of the remnants of groups created and financed by Bin Laden at the behest of the CIA.

04. In the immediate aftermath of the 9/11 attack allow Bin Ladens family to *fly* out of the US unquestioned.

05. Holding back US troops to allow Bin Laden to escape from his holdout on the Pakistan border. If captured he might have some embarrassing facts to disclose.

06. Take a middle eastern dictatorship (Iraq) and overthrow its ruler. In the process disbanded its highly trained army and allow them to escape with most of their weapons intact. The remnants of which later joined forces with radical Islamic fundamentalists forming the bulk of the current Guerilla army. Making large parts of Iraq no go areas for US troops. Almost a year after the so called 'ceasefire'.

07. Incidentally whilst Heusen was in power and still an asset of the CIA it was his job to suppress the 'fundamentalists'. And after the first Gulf war he was totally suppressed and *no* external threat to anyone. He still could stifle the fundamentalists. So removing him has actually created a state that supports terrorism.

08. Arbitrarily dismiss and ignore the views of the USAs own allies to such an extent that *no* country apart from the UK went into Iraq with it. Chiefly because Tony Blain had no choice. The rest he bribed with contracts or getting their application to join the EU speeded up.

09. In the process Bush did something the Warsaw Pact could never achieve through out WW11, the Cold war, the Cuban missile crises and the breakup of the Soviet Union. He split NATO in two. He couldn't have done better if he was Putins foreign minister.

10. Provoked North Korea and Iran into going Nuclear. Something they had no incentive in doing until his famous axis of evil speech.

11. Reintroduced a new Nuclear arms race with his bunker-busting bombs and a re-launched starwars. A plan to put nuclear weapons into space.

Lastly he's refused to sign the Kioto agreement. Signed over large tracts of Alaska to the Oil companies rescinded environmental legislation and criminalised environmental and political activists.

Not bad for a first four years ...

The evidence... (4, Insightful)

JohnGrahamCumming (684871) | more than 9 years ago | (#10714938)

If you read the long boring document that fingers this Russian guy you'll see the following "evidence":

1. Send-Safe and SoBig had same release dates. Where the margin on same is up to 10 days, and there are strange inaccuracies, for example the document states that on 5/23/2003 there was a SoBig release compiled on June 24, 2003. Other evidence hinges on the actions of SSSG without considering the possibilities that they were using a hacked version of Send-Safe.

2. Document contains unfounded statements like "As SSSG appears to be a sizable organization, it would seem unlikely that any individual within the group would actually know the Sobig author(s)."

3. The skills section is particularly funny since it lists skills like "Newsgroups" and states the the Russian has been posting on Newsgroups since 1998. Woo hoo!

4. The use of %s section made me want to LOL. The authors see significance in the fact that neither piece of software uses %s to concatenate strings,
sprintf( together, "%s%s", s1, s2 );
would be unusual for any C programmer, yet
sprintf( command, "RCPT TO:<%s>", rcpt );
looks like something any C programmer would do.

5. The note on string ordering with an example of SoBig vs Send Safe appears to me to show the opposite of what the authors intended. The two blocks look very different.

6. A large part of the document is dedicated to showing how the two exectuables are "similar" at the opcode level. There is no actual evidence here, e.g. how about a disassembly of two identical blocks of code? The comparison is interesting, but doesn't tell us much without being able to see the actual code.

Overall I though the PDF file was poorly written, lacking in rigor and provided no real evidence for the naming of this individual.

Yes, he helps people spam, and that's very, very annoying, but "innocent until proven guilty" people? Or at least "innocent until you actually show some convincing evidence".


Re:The evidence... (1)

Aheinz1 (532062) | more than 9 years ago | (#10715170)

4. The use of %s section made me want to LOL. The authors see significance in the fact that neither piece of software uses %s to concatenate strings,
sprintf( together, "%s%s", s1, s2 );
would be unusual for any C programmer, yet
sprintf( command, "RCPT TO:", rcpt );
looks like something any C programmer would do.

If I recall correctly, the paper was not pointing out that %s was/was not used, but rather that it was used/not used in similar places in both code bases. That is, in a place where SoBig used it, it was also used in Send-Safe, and where SoBig used another method, so did Send-Safe.

In Soviet Russia... (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10715150)

...virus writers write YOU!

Well of COURSE he didn't write it. (2, Funny)

MadFarmAnimalz (460972) | more than 9 years ago | (#10716066)

This is RUSSIA, you morons.

IT wrote HIM.

Get your facts straight.

Re:Well of COURSE he didn't write it. (0)

Anonymous Coward | more than 9 years ago | (#10717291)

but, the real question is did he write it in soviet Russia, or just normal Russia...

Hasn't anyone else caught this obvious lie? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#10716294)

The bit where he talks about headers is completely stupid and it shows that even on the interview he is lying. If you read the report, they say that Send-safe and sobig's headers are in the same order, which is different from outlook. So, he's lying.

Here's the quote from the "Who wrote sobig" article:
"Although these subtle differences suggest separate source code, the similarities suggest that Send-Safe was the
template, and not other mailing programs such as Outlook, Netscape, The Bat!, or AMS.

As these other independent email tools generate their headers with very different ordering, it would seem unlikely
that the Sobig author(s) determined the email headers and values independently."
And the quote from the interview:
"But Ibragimov said Send-Safe chose the particular order of headers merely to mimic Outlook Express and to better evade spam filters."


Least comment story ever? (1)

Chmarr (18662) | more than 9 years ago | (#10716304)

Wow... this story's a whole FOUR hours old, and there's only been 50 or so comments on it? Could this possibly be the least commented-on story in Slashdot's history?

If I didn't know any better, I'd think that there was something else on most people's minds! :)

Have you read it?.. (1)

Mondor (704672) | more than 9 years ago | (#10721143)

"Ibragimov, 30, said no one from the FBI or any other law enforcement agency has ever contacted him about the SoBig worm." I wonder how FBI officers would contact Russian citizen in Russia :) No, imagine, that FSB (ex. KGB), or any other Russian secret service officer will knock your door in the middle of American Nowhere. In reality, if you want this guy to pay for his sins, write about this event to fsb@fsb.ru (the address is real, don't "test" it!), I guess after some requests they will consider talking to this Ruslan Ibragimov. By the way, his name and surname shows, that he is most likely not Russian. It looks like he belongs to Chechen or other Caucasus nation, so the talk with FSB officer is not going to be gentle. And another thing - he is using the swreg.org registrar for his spamware. No matter if he is author of SoBig or not, you can ignore this registrar (whether you are developer or customer, doesn't matter), so they will not earn money on spam.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account