Full Disclosure mailing list archives
RE: Sobig has a surprise...
From: David Vincent <david.vincent () mightyoaks com>
Date: Fri, 22 Aug 2003 18:28:22 -0700
All the experts were totally faked out. While everyone was concentrating on getting the "magic 20" machines shut down, no one realized that different copies of Sobig.f had different lists of servers to contact. We put a block of udp port 8998 on our firewall this morning. We had 3 previously undetected infected machines on our network, each of which tried to contact a different list of 20 machines. One of the lists corresponds to the one that Sophos and others have published. The other two lists have no addresses in common with the published list, or with each other.
care to publish those ips?
I wonder how many different sets of servers there were, how many different variants of Sobig.f there were, and how many infected machines now have some additional trojan, worm, or ddos code waiting for a command to do something.
<insert theme from "jeopardy"> -d _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Sobig has a surprise..., (continued)
- Re: Sobig has a surprise... Paul Schmehl (Aug 22)
- RE: Sobig has a surprise... Paul Schmehl (Aug 22)
- RE: Sobig has a surprise... Ron DuFresne (Aug 23)
- RE: Sobig has a surprise... Paul Schmehl (Aug 23)
- RE: Sobig has a surprise... Ron DuFresne (Aug 23)
- RE: Sobig has a surprise... Paul Schmehl (Aug 23)