[Dshield] Accidental inoculation against SoBig?

John D. lists at webcrunchers.com
Thu Aug 21 20:32:39 GMT 2003

>Greetings all:
>I have noticed two trends in recent days that have had me really concerned. In fact, to say I have been totally baffled would be an understatement.
>The first trend I noticed was an ever increasing number of systems performing VERY aggressive port scans of our MTAs. In most cases, the host probing the MTA would repeat the probe anywhere from 10 to 200+ times an hour for hours (or, in some cases, days) on end. These are almost always originating from DSL or Cable connections, thus I assumed that they were some new proxy server that our checks did not identify.

Looks to me like SoBig is doing it's dirty deeds....  We are just not having these problems....  Our crunchbox is blocking IP's like flies on shit.  I'm getting HUGE increases in these scans...  I'm having to purge our "shitlist" on a daily basis,  but enjoy going through them....    I'm recording all the originating IP's of course (these are infected machines) and reporting them to the ISP's in question.

The pattern is clear.

This is going to continue until all the ISP's get their filters in place to stop it.

>The other trend I noticed REALLY REALLY REALLY bothered me: We were get NO (zero! none! nada!) SoBig hits. 

You probably won't.   At least not for a while.  The 2nd phase of the virus hasn't kicked in yet.  That phase will be evident,  as you'll experience a HUGE increase in spam,  after the trojans are installed.   which hasn't happened yet.

More then likely,  you are now just getting the mails from the infected machine as it's going through users mailing lists,  looking for more systems to infect.

>This had me concerned to the point that yesterday I spent all day (like 19+ hours) upgrading our A-V engine and switching from AMaViS to MIMEDefang on all of our mail servers, thinking there had to be a problem in one of those components.
>When I first got up this morning, I logged in to several of our mail server from the house and checked the log files. Still NO SoBig hits! At this point I was totally confused.

I'm not exactly sure that you mean by SoBig hits?   but I"m getting a HUGE increase in Spam mail with the SoBig virus as an attachment hiding as .pif files.
>Then, in the shower (which is where I do some of my best thinking!), I recalled someone mentioning yesterday that SoBig runs its own SMTP engine. 

Yes - but you wont see them until later.   We are just in the first stage of the SoBig attack.   After the 2nd stage,  I believe the infected machines will have a special verion of WinGate installed on the infected machines.  I suspect that THESE are going to be your "SMTP engines" you talked about,  as they wake up and start sending millions of spams.   They will get woke up when the attacker establishes a connection to the infected box to tell it what to do.  It could be ANYTHING - But I suspect it will be mostly for spam.  Once the MSBlaster was released,  the huge influx of upgrades and virus eradications have also eradicated spammer trojans as well.   

Because there is BIG money in spammage,   one can expect they would react this way.

I have a HUGE database of ISP's and abuse contact information,  and continue to report spam.  In my reports,  I've included all the info they need to both eliminate the problem,  but also to catch the perpetrator.   I'm still refining my methods of doing this.

>Then I also remembered that in the past we have had problems with some really old SMTP servers gagging on our MTA's connection greeting; we have all rather large multi-line 220 message that used to cause some problems.
>Then it hit me -- could SoBig's SMTP engine be gagging on our 220 greeting message? 

I suspect their SMTP Engine would be WinGate (according to an earlier report on the SoBig Spam Trojan info).   I  have no idea how they modified it,  but if you can dig up WinGate details,  you answers may be in there.  I have very little knowledge of this program.  I'm not a Gates Slave and don't use M$ products.

>If so, then that could account for both of the trends I have been worrying about. It could be that we have not received any SoBig hits because it cannot connect to any of our MTAs successfully. SoBig could also be repeatedly trying these connections, and that could account for the aggressive port scans.

Go here http://www.lurhq.com/sobig.html  this might give you some answers.
>Any thoughts on this? Could we have accidentally inoculated ourselves against SoBig by having a large greeting message that it cannot handle?

Don't think so,  unless I mis-understood you.

We've been suffering these attacks for over a year from earlier strains of SoBig.

We log our attacks and report them to the originating ISP and hope they can take care of it.  Because if privacy policy of ISP's,  we can't go any further to deal with it,  because we can't contact the source of the problem.

Of course I can "turn off" these attacks if I want to,  using our Crunchbox.  But I'm allowing them in,  so I can analyse what they are doing.   Know thy enemy - I always say...

Also,  if interested in this,  I'm trying to drum up interest to put up a honeypot PC to catch them.  If interested,  let me know.  There is a lot of talant out here on DSheild - lets do something like this...


More information about the list mailing list