[Dshield] likely move to infocon 'Yellow'

John D. lists at webcrunchers.com
Sat Aug 23 03:46:01 GMT 2003

>Attachment converted: Macintosh HD:Untitled 180 (MiME/CSOm) (000B7B38)
>*** PGP Signature Status: not verified (signing key missing)
>*** Signer: 0x826F07FC
>*** Signed: N/A at N/A
>*** Verified: 2003-08-22 at 8:42 PM
>Looking at the latest reports about 'Sobig-F', I think we will move to
>'Yellow' to give people a heads up on the Sobig F update activity, which
>will start at 19:00 UTC (15:00 EDT). 

What does "yellow" mean - a reduction in threat level?
>All Sobig infected hosts will attempt to hit the same set of 20 IPs at
>that time. As Sobig uses multiple NTP servers to synchronize its clock,
>this activity is expected to start rather fast. 
>The list of IPs are known and there have been reports that most of them
>are down at this point. But even if the update is not successful, the
>synchronized traffic may cause issues.

But have they ensured these IP's are going to STAY down?   Obviously the
virus writer is not going to be turning on these machines until the very last
moment to avoid discovery,  but if ALL the ISP's owning these IP's are in on it,  then they can all react to stop them all in time.
>I expect we will move back to green around 15:30 EDT (19:30 UTC).

Good - I'm glad everyone is working together for once....  hats off to the ISP's for dealing with it.


More information about the list mailing list