funsec mailing list archives
RE: F-Secure: Sober.Y (Fake FBI e-Mail) Becoming Huge
From: "Debasis Mohanty" <debasis () hackingspirits com>
Date: Wed, 23 Nov 2005 09:24:14 +0530
I came across this worm in the month of Feb, 2005. Oh! so it striked back again.. I did a quick reverse engg on this worm as then (talking about somewhere around Feb, 2005) there were no advisory released from any AV vendor and even virustotal wasn't able to detect it. I released a paper on it on 25th Feb, 2005. The complete analysis can be downloaded from here : http://www.hackingspirits.com/eth-hac/papers/whitepapers.asp -:: Tr0y ::- www.hackingspirits.com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie Sent: Wednesday, November 23, 2005 5:59 AM To: funsec () linuxbox org Subject: [funsec] F-Secure: Sober.Y (Fake FBI e-Mail) Becoming Huge Mikko writes in the F-Secure "News from the Lab" Blog: [snip] We just took Sober.Y to a Radar Level 1 alert. Level 1 is the highest alert we have. And this is the first Level 1 alert we've done in months. Several millions of infected emails have been seen by internet operators over the last hours. One of the reasons why this email worm seems to be so successful in spreading is that some of the messages it sends are fake warnings from FBI, CIA or from the German Bundeskriminalamt (BKA). FBI has even put out a a public warning on the case. First Sober was found in October 2003, over two years ago. We believe all 25 variants of this virus have been written by the same individual, operating from somewhere in Germany. Unlike most of the other widespread viruses nowadays, Sober doesn't seem to have a clear financial motive behind it. Some Sober variants have displayed neo-nazi messages, but the latest version of the virus does not do this. However, all Sober variants send German messages to German email addresses and English messages to other addresses. The numbers we're now seeing with Sober.Y are just huge. This is the largest email worm outbreak of the year - so far! [snip] http://www.f-secure.com/weblog/archives/archive-112005.html#00000715 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- F-Secure: Sober.Y (Fake FBI e-Mail) Becoming Huge Fergie (Nov 22)
- RE: F-Secure: Sober.Y (Fake FBI e-Mail) Becoming Huge Debasis Mohanty (Nov 22)
- <Possible follow-ups>
- RE: F-Secure: Sober.Y (Fake FBI e-Mail) Becoming Huge Fergie (Nov 22)