[Dshield] likely move to infocon 'Yellow'

John D. lists at webcrunchers.com
Sat Aug 23 03:35:27 GMT 2003


>To play Devil's advocate for a minute, does anyone know if there is
>anything still not decoded in sobig? My "little voice" tells me that,
>if, there is, and this writer was astute enough to encrypt this action,
>is it not reasonable to assume that the IP's could be phony (meaning
>there they are, but the code actually uses them in an algorythm to
>target the real IP's)
>Example, 10.10.10.10 listed in the code has been decrypted and now shut
>off right, but the rest of the code takes the first portion and say,
>adds 1 to it so the real IP is 11.10.10.10
>
>Just a thought, I hope the folks at F-secure decrypted the whole thing.

It shouldn't be that hard to find out.   Monitor an infected machine and sniff the ethernet traffic and see what it tries to connect to.   note the host IP,  then look in the code and see the relationship,  perhaps it might even lead to a function it derives to get the REAL one.   Just a thought....

John





More information about the list mailing list