[Dshield] Upsurge in SoBig? 2

Bob Savage bsavage at rnr-inc.com
Mon Sep 8 16:44:41 GMT 2003

Paranoid is good.  I'm that way too.  And I'm lucky - we're small enough that I've been able to indulge my obsession with this stuff and spend some time watching the flow and developing statistics.

I interpret the bounces as being from legitimate sources although sent to the spoofed 'return' address.  It looks to me as if SoBig spoofs the return address using the same list of addresses it finds and uses for sending.  The pattern I'm seeing is that a user is targeted for a while, then it ends, presumably when the infection is discovered and cleaned.  During the time that a user is a target they will also receive a small number of these bounces.  When the emails stop so do the bounces.  Some of the bounces are NDR's from bad addresses, others are bounced by an antivirus product.  Some have the attachment, some don't.  I guess I thought whether the attachment is there or not depends on the quirks and setup of the bouncing system.  It appears to me that the source IP in the header of both the original SoBig emails and the bounces is correct.

Incidentally, in the worst cases I've set up a filter to block all traffic from the source IP at the outside door.  Otherwise I'm letting the anti-virus software catch them, delete them, and report to me.  We do not send a "virus caught" notification to the sender.  I'm not sure why anybody would even try that anymore.

Bob Savage
RNR, Inc

-----Original Message-----
From: Daniels566 at cs.com [mailto:Daniels566 at cs.com]
Sent: Monday, September 08, 2003 10:27 AM
To: list at dshield.org
Subject: Re: [Dshield] Upsurge in SoBig? 2

Not sure if most are already familiar with this stuff. My earlier post 
mentioned my wife is getting a lot of returned mail she never sent. Their still 
coming in and the last one is gimmicked to warn that there was a virus and it is 
being return with the suggestion that would cause someone unsuspecting to 
download the return attachment and open it. It appears that address book names are 
being spoofed and mail servers are rejecting them like crazy and returning 
them to the addy of the supposed sender. Somewhere in the deluge are spoofed mail 
denials being thrown around so that when someone gets a bunch back they might 
become careless and open the one that is returned with an attachment. < 
That's just my paranoid opinion.

John Daniels

These are the last four received:
Subj:    Warning: E-mail viruses detected   
Date:   9/4/03 6:52:45 AM Eastern Daylight Time 
From:   <A HREF="mailto:abuse at wealdnet.co.uk">abuse at wealdnet.co.uk</A>    
To: <A HREF="mailto:adoptapettasap at cs.com">adoptapettasap at cs.com</A>   
Received from Internet: click here for more information 
Our virus detector has just been triggered by a message you sent:-
To: wildlife at bornfree.org.uk
Subject: Re: That movie
Date: Thu Sep 4 11:52:35 2003
Any infected parts of the message (thank_you.pif)
have not been delivered.

This message is simply to warn you that your computer system may have a
virus present and should be checked.

The virus detector said this about the message:
Report: thank_you.pif Found the W32/Sobig.f at MM virus !!!
Shortcuts to MS-Dos programs are very dangerous in email (thank_you.pif)

Return-Path: <>
Received: from  rly-za02.mx.aol.com (rly-za02.mail.aol.com []) by 
air-za04.mail.aol.com (v95.12) with ESMTP id MAILINZA43-2ed3f571976147; Thu, 
04 Sep 2003 06:52:45 -0400
Received: from  ns.wealdnet.co.uk (ns.wealdnet.co.uk []) by 
rly-za02.mx.aol.com (v95.1) with ESMTP id MAILRELAYINZA29-2ed3f571976147; Thu, 
04 Sep 2003 06:52:39 -0400
Received: (from root at localhost)
    by ns.wealdnet.co.uk (8.11.6/8.10.2) id h84AqZY09324;
    Thu, 4 Sep 2003 11:52:35 +0100
Date: Thu, 4 Sep 2003 11:52:35 +0100
Message-Id: <200309041052.h84AqZY09324 at ns.wealdnet.co.uk>
From: "Wealdnet" <abuse at wealdnet.co.uk>
To: adoptapettasap at cs.com
Subject: Warning: E-mail viruses detected
X-MailScanner: generated
Subj:    Virus Alert    
Date:   9/8/03 4:23:05 AM Eastern Daylight Time 
From:   <A HREF="mailto:Postmaster at xs2.greenpeace.org">Postmaster at xs2.greenpeace.org</A>   
To: <A HREF="mailto:adoptapettasap at cs.com">adoptapettasap at cs.com</A>   
Received from Internet: click here for more information 
The TUNIX firewall fwu.greenpeace.org intercepted an email from you that
contains a virus. The virus was detected by the AVP virusscanner
from Kaspersky Lab (see for more virus-information: www.kaspersky.com).

Your email has been rejected and will not reach: <
zealand at dialb.greenpeace.org>
The subject is: Subject: Re: Re: My details
The virusalert is: va023956 = infected: I-Worm.Sobig.f 

Please take appropriate actions before re-sending your email.


Return-Path: <Postmaster at xs2.greenpeace.org>
Received: from  rly-xm05.mx.aol.com (rly-xm05.mail.aol.com []) 
by air-xm04.mail.aol.com (v95.12) with ESMTP id MAILINXM43-6153f5c3c5815d; Mon, 
08 Sep 2003 04:23:05 -0400
Received: from  fwu.greenpeace.org (fwu.greenpeace.org []) by 
rly-xm05.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXM57-6153f5c3c5815d; Mon, 
08 Sep 2003 04:22:48 2000
Received: (from root at localhost) by fwu.greenpeace.org (8.9.3c/8.6.12) id 
EAA25132 for <adoptapettasap at cs.com>; Mon, 8 Sep 2003 04:22:46 -0400 (EDT)
Date: Mon, 8 Sep 2003 04:22:46 -0400 (EDT)
Message-Id: <200309080822.EAA25132 at fwu.greenpeace.org>
From: Postmaster at xs2.greenpeace.org
To: <adoptapettasap at cs.com>
Subject: Virus Alert
Subj:    Virus Alert notification   
Date:   9/8/03 5:35:47 AM Eastern Daylight Time 
From:   <A HREF="mailto:Inspectv at talgov.com">Inspectv at talgov.com</A> 
To: <A HREF="mailto:inspectv at talgov.com">inspectv at talgov.com</A>, <A HREF="mailto:Adoptapettasap at cs.com">Adoptapettasap at cs.com</A>  
Received from Internet: click here for more information 
Email sent from: Adoptapettasap at cs.com
to: doylej at talgov.com

This E-mail was deleted Win32/Sobig.F.Worm

This E-mail was curred by eTrust SCM for SMTP 
on: Mon Sep 08 05:34:42 2003 

Return-Path: <Inspectv at talgov.com>
Received: from  rly-xc05.mx.aol.com (rly-xc05.mail.aol.com []) 
by air-xc02.mail.aol.com (v95.12) with ESMTP id MAILINXC23-eb3f5c4d703af; Mon, 
08 Sep 2003 05:35:47 -0400
Received: from  ns1.ci.tlh.fl.us (ns1.ci.tlh.fl.us []) by 
rly-xc05.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXC55-eb3f5c4d703af; Mon, 08 Sep 
2003 05:35:45 -0400
Received: from cotexchange3.ci.tlh.fl.us ([])
    by ns1.ci.tlh.fl.us (8.12.8/8.12.8) with ESMTP id h889UaaW019740
    for <Adoptapettasap at cs.com>; Mon, 8 Sep 2003 05:30:36 -0400
Message-Id: <200309080930.h889UaaW019740 at ns1.ci.tlh.fl.us>
Received: from content (content.ci.tlh.fl.us []) by 
cotexchange3.ci.tlh.fl.us with SMTP (Microsoft Exchange Internet Mail Service Version 
    id SGW87SJY; Mon, 8 Sep 2003 05:35:44 -0400
From: Inspectv at talgov.com
To: inspectv at talgov.com, Adoptapettasap at cs.com
Subject: Virus Alert notification

File:   failuren.txt (107719 bytes) DL Time (46666 bps): <1 minute  
Forwarded Message: 
Subj:    failure notice     
Date:   9/8/03 6:57:55 AM Eastern Daylight Time 
From:   <A HREF="mailto:MAILER-DAEMON at externet.hu">MAILER-DAEMON at externet.hu</A>   
To: <A HREF="mailto:adoptapettasap at cs.com">adoptapettasap at cs.com</A>   
Received from Internet: click here for more information 
[Only the first part of this message is displayed. The entire message has 
been turned into a text attachment, which you can retrieve by selecting Download. 
Once downloaded, open it with a word processor or text editor for reading.]

Hi. This is the qmail-send program at externet.hu.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
Varatlan hiba tortent!
Valoszinuleg nincs ilyen cim.

<menhely at externet.hu>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <adoptapettasap at cs.com>
Received: (qmail 12690 invoked from network); 8 Sep 2003 10:57:42 -0000
Received: from unknown (HELO DF59JR11) ([])
(envelope-sender <adoptapettasap at cs.com>)
by mail2.externet.hu (qmail-ldap-1.03) with SMTP
for <menhely at externet.hu>; 8 Sep 2003 10:56:46 -0000
From: <adoptapettasap at cs.com>
To: <menhely at externet.hu>
Subject: Re: Details
Date: Mon, 8 Sep 2003 6:56:46 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;

This is a multipart message in MIME format

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;


Return-Path: <>
Received: from  rly-xg01.mx.aol.com (rly-xg01.mail.aol.com []) 
by air-xg01.mail.aol.com (v95.12) with ESMTP id MAILINXG12-4483f5c60a738c; 
Mon, 08 Sep 2003 06:57:54 -0400
Received: from  externet.hu (mail2.externet.hu []) by 
rly-xg01.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXG16-4483f5c60a738c; Mon, 08 Sep 
2003 06:57:44 -0400
Received: (qmail 12701 invoked for bounce); 8 Sep 2003 10:57:42 -0000
Date: 8 Sep 2003 10:57:42 -0000
From: MAILER-DAEMON at externet.hu
To: adoptapettasap at cs.com
Subject: failure notice
Message-ID: <200309080657.4483f5c60a738c at rly-xg01.mx.aol.com>
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list