[Dshield] cracking SoBig/SINIT/MyDoom, et alius
jstewart at lurhq.com
Tue Feb 10 15:14:20 GMT 2004
On Tuesday 10 February 2004 9:10 am, Pete Cap wrote:
> FACT: the SoBig network is apparently still in existence since people
> are seeing SoBig traffic again/still...
The Sobig traffic you are seeing is not an indication of anything new.
Just people with their dates set wrong. Yes, there are still Sobig
proxies out there, but they are dwarfed by the number of other newer
proxies created over the last six months by other malware.
> FACT: the SINIT network is still in operation (that's the P2P one)...
I don't hear people mentioning the malformed DNS packets as much
nowadays, so I don't know if this operation is defunct or not. It may
have been abandoned, as it did have some shortcomings, and the
CoolWebSearch author (who is believed to be behind Sinit) is known for
changing his/her M.O. quite frequently.
> FACT: MyDoom has opened the door for ANOTHER network of compromised
I don't feel that there are that many hosts still infected with MyDoom.
So far I have only gotten hits on my honeypot from about 25 hosts
infected with Doomjuice. With 64 threads scanning on each infected
host, you'd expect there would be more by now. I think the actual
amount of infected users is in line with all the other viruses we know
about - just the sheer amount of mail each one produces causes a
perception that there are a lot of infected hosts.
> At this point we have at least three highly successful
> implementations of the same idea: compromise a vast number of hosts
> and use them for...whatever. Yes, I know this isn't an original
> idea--and I know we see scads of Botnets every day--but these three
> have been wildly successful whereas other attempts have not.
I think these have been widely publicized, but that's not necessarily an
indication of their success. Autoproxy/Coreflood has probably infected
more people than all of these, yet you never hear about it. And it's
been operating for at least two years. It seems like every other piece
of malware I've looked at in the past six months has a proxy component.
Jeem, Guzu, Lixy, Roxy, Ranck, Bagle, Bedrill, Migmaf, Kridge, and more.
Combined, they easily exceed a million hosts.
> So what I'm wondering at this point is...are there any commonalities
> among these things? I'm not about to suggest that they were written
> by the same person...but you have to wonder.
The three you mentioned were definitely not written by the same person.
However, they were written with the same motive: profit. There is now a
black market for trojaned Windows systems, and it's not even that well
hidden. There are public message boards where malware authors offer
networks of trojaned systems for sale. Because most of them are in
countries who do not have effective cybercrime laws or enforcement,
they feel pretty confident they can get away with this.
Joe Stewart, GCIH
Senior Security Researcher
More information about the list