RE: Sobig has a surprise...

[David Vincent <david.vincent () mightyoaks com>]

> All the experts were totally faked out. While everyone was 
> concentrating on getting the "magic 20" machines shut down, 
> no one realized that different copies of Sobig.f had 
> different lists of servers to contact.
>
> We put a block of udp port 8998 on our firewall this morning. 
> We had 3 previously undetected infected machines on our 
> network, each of which tried to contact a different list of 
> 20 machines. One of the lists corresponds to the one that 
> Sophos and others have published. The other two lists have no 
> addresses in common with the published list, or with each other.

care to publish those ips?

> I wonder how many different sets of servers there were, how 
> many different variants of Sobig.f there were, and how many 
> infected machines now have some additional trojan, worm, or 
> ddos code waiting for a command to do something.

<insert theme from "jeopardy">

-d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html