Sobig.D already here

[Gabriele Neukam]

Hi all,


I received a mail with the subject "Re: Movie", and an attachment
"your_details.zip", which extracts to "details.pif"

This looked very Sobiggy, but my AntiVir didn't recognize it. A short
glance at it with a hex viewer shows that it is packed with ASpack. Am
currently downloading the newest AntiVir, to identify it.

So take care.


Gabriele Neukam

(e-mail address removed)

 

[Jari Lehtonen]

Ok, after looking up Sophos, I know it is Sobig.E. It looks like the
programmer wasn't too content with the results of version d.

No offense, good you spotted it before any harm done.

jari

 

[Nick FitzGerald]

I received a mail with the subject "Re: Movie", and an attachment
"your_details.zip", which extracts to "details.pif"

This looked very Sobiggy, but my AntiVir didn't recognize it. A short
glance at it with a hex viewer shows that it is packed with ASpack. Am
currently downloading the newest AntiVir, to identify it.

I see you already discovered it was, in fact, SObig.E.

Sobig.D was about ten days ago (from memory) and did not make anything
like the "splash" of its predecessors and this successor...

 

[akhibby]

I see you already discovered it was, in fact, SObig.E.

Sobig.D was about ten days ago (from memory) and did not make anything
like the "splash" of its predecessors and this successor...

Interesting (vaguely) AVG with DATs dated 25th (current I just checked their
webpage) failed to detect it, even after I extracted the PIF from the
archive, F-prot confirmed that it's live.

Guess I'll mail it in...

Ian

 

[akhibby]

Interesting (vaguely) AVG with DATs dated 25th (current I just checked their
webpage) failed to detect it, even after I extracted the PIF from the
archive, F-prot confirmed that it's live.

Guess I'll mail it in...

Ian

Scratch that, they must have had two updates that day, I redownloaded and it
picked it up fine.

 

[Nick FitzGerald]

Scratch that, they must have had two updates that day, I redownloaded and it
picked it up fine.

Given the unexpected (initial) success of four of the five members of
this family, and the enduring success of Sobif.A which did not have a
built-in drop dead date (or has not yet reached it??), the appearance
of a new SObig variant is likely to prompt all scanner developers to
release new detection updates...

 

[Gabriele Neukam]

On that special day, Nick FitzGerald, ([email protected]) said...

Given the unexpected (initial) success of four of the five members of
this family, and the enduring success of Sobif.A which did not have a
built-in drop dead date (or has not yet reached it??), the appearance
of a new SObig variant is likely to prompt all scanner developers to
release new detection updates...

Sigh. Just today I was sent an "E" _and_ an "A".

Is there _any_ info, whether the later versions do install mass mailing
trojans, like the first one, described in:
http://www.lurhq.com/sobig.htm

The expiration date makes me believe that the programmer uses a "hit and
run" tactic, have the worm spread, provide a server for the trojan to
download, and have said server "vanish" two or three weeks later, before
it is tracked by virus analysts.

That would be just mean.

What i hate about Sobig.E: It is packed with ASpack, which doesn't have
an uncompress option, so that I cannot analyze it to see if there is an
URL it would contact.


Gabriele Neukam

(e-mail address removed)

 

[Nick FitzGerald]

Is there _any_ info, whether the later versions do install mass mailing
trojans, like the first one, described in:
http://www.lurhq.com/sobig.htm

To date (subsequent to the snafu over .A), the download sites coded into
Sobig (and those pointed to be the "locator" file hosted thereon before
we could get them closed) have been pretty promptly closed and
(generally) someone has monitored those sites for updates/changes until
they have been closed.

The expiration date makes me believe that the programmer uses a "hit and
run" tactic, have the worm spread, provide a server for the trojan to
download, and have said server "vanish" two or three weeks later, before
it is tracked by virus analysts.

Well, you can think that but typically it takes a few hours from release
to capture and analysis and then a few more hours to a day or two to get
the hosting sites killed. It certainly does not take us "weeks" to get
on top of this (the biggest delays by far are getting through to the
abuse folks at the hosting companies and getting them to remove _and
permanently block_ the update sites).

That would be just mean.

What i hate about Sobig.E: It is packed with ASpack, which doesn't have
an uncompress option, so that I cannot analyze it to see if there is an
URL it would contact.

Well, just because the ASPack packer does not provide it does not mean
that ASPack-ed EXEs cannot be unpacked. Try Googling "aspack unpacker"
or similar (though you may wish to run the tools you find on a goat or
in a VM...).

 

[Gabriele Neukam]

On that special day, Nick FitzGerald, ([email protected]) said...

....
Well, you can think that but typically it takes a few hours from release
to capture and analysis and then a few more hours to a day or two to get
the hosting sites killed. It certainly does not take us "weeks" to get
on top of this (the biggest delays by far are getting through to the
abuse folks at the hosting companies and getting them to remove _and
permanently block_ the update sites).

I didn't assume that you are slow, only that maybe _some_ server hosters
might be slow at cooperating (especially if they are amateurs, and their
machine was root kit trojanized). If the worm makes use of infos from
maintained servers, it is easier to shut its source down. Maybe the
programmer should reduce the "spreading time" to something below seven
days; this would spare one or another specimen about which i might have
to complain.

Today I was sent one from China. The weirdest fact seems to be, that the
spreaders aren't the usual dumbheads which click on everything which
they might ever see, but in Germany a lot of mails are sent from high
schiils and universities. Maybe due to the "details" portion in the
filename. "Details" lokks like the mail is important, maybe about an
application, or will the fund´ing be granted, or how the research went
on, and so on.

Sobig.E makes makes intellectuals look rather stupid.


Gabriele Neukam

(e-mail address removed)