[Dshield] cracking SoBig/SINIT/MyDoom, et alius

Joe Stewart jstewart at lurhq.com
Tue Feb 10 15:14:20 GMT 2004

On Tuesday 10 February 2004 9:10 am, Pete Cap wrote:
> FACT: the SoBig network is apparently still in existence since people
> are seeing SoBig traffic again/still... 

The Sobig traffic you are seeing is not an indication of anything new. 
Just people with their dates set wrong. Yes, there are still Sobig 
proxies out there, but they are dwarfed by the number of other newer 
proxies created over the last six months by other malware.

> FACT: the SINIT network is still in operation (that's the P2P one)...

I don't hear people mentioning the malformed DNS packets as much 
nowadays, so I don't know if this operation is defunct or not. It may 
have been abandoned, as it did have some shortcomings, and the 
CoolWebSearch author (who is believed to be behind Sinit) is known for 
changing his/her M.O. quite frequently.

> FACT: MyDoom has opened the door for ANOTHER network of compromised 

I don't feel that there are that many hosts still infected with MyDoom. 
So far I have only gotten hits on my honeypot from about 25 hosts 
infected with Doomjuice. With 64 threads scanning on each infected 
host, you'd expect there would be more by now. I think the actual 
amount of infected users is in line with all the other viruses we know 
about - just the sheer amount of mail each one produces causes a 
perception that there are a lot of infected hosts. 

> At this point we have at least three highly successful
> implementations of the same idea: compromise a vast number of hosts
> and use them for...whatever.  Yes, I know this isn't an original
> idea--and I know we see scads of Botnets every day--but these three
> have been wildly successful whereas other attempts have not.

I think these have been widely publicized, but that's not necessarily an 
indication of their success. Autoproxy/Coreflood has probably infected 
more people than all of these, yet you never hear about it. And it's 
been operating for at least two years. It seems like every other piece 
of malware I've looked at in the past six months has a proxy component.
Jeem, Guzu, Lixy, Roxy, Ranck, Bagle, Bedrill, Migmaf, Kridge, and more. 
Combined, they easily exceed a million hosts.

> So what I'm wondering at this point is...are there any commonalities 
> among these things?  I'm not about to suggest that they were written 
> by the same person...but you have to wonder.  

The three you mentioned were definitely not written by the same person. 
However, they were written with the same motive: profit. There is now a 
black market for trojaned Windows systems, and it's not even that well 
hidden. There are public message boards where malware authors offer 
networks of trojaned systems for sale. Because most of them are in 
countries who do not have effective cybercrime laws or enforcement, 
they feel pretty confident they can get away with this.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the list mailing list