[Dshield] Sobig.F outbreak

Jeff Kell jeff-kell at utc.edu
Thu Aug 21 04:02:10 GMT 2003


Johannes B. Ullrich wrote:

> On Wed, 2003-08-20 at 16:21, Richard Roy wrote:
> 
>>I was getting a ton with a forged from of admin at internet.com
> 
> 
> I believe thats the 'default' address for the latest Sobig. If it can't
> find any email addresses in the browser cache or address book, it will
> default to abmin at internet.com
> 
> Sobig uses its very own SMTP engine. So it can fake whatever header it
> wants. 
> 
> It will fake the envelope and the 'From' address. However, it looks like
> it uses the infected machines Netbios host name in its 'HELO' message.

One note of interest... somehow it uses "some" external DNS server to 
resolve MXs.  In our case this was incredibly lucky as we have a router 
ACL that only permits SMTP outbound from our internal SMTP servers 
(using their internal addresses behind NAT).  SoBig.F trying to send 
itself to our own users was blocked because it was addressed to our SMTP 
external address, not internal.

Anyone else behind NAT might try this to stop local multiplication of 
the virus...

Jeff




More information about the list mailing list