[unisog] sobig.f SMTP hosts?

Pollock, Joseph PollockJ at evergreen.edu
Wed Aug 20 20:35:35 GMT 2003


I've been curious about this aspect of the server because my final hop
records have been showing hosts that do not appear to be desktop hosts/dhcp
addresses and the like.  I know some other viruses have used relays even
though they contained their own SMTP engine, and some discussion of spam
relay trojans indicates that a preferred mode of operation may be to use
such a relay host because it is likely more powerful than the desktop.




-----Original Message-----
From: H. Morrow Long [mailto:morrow.long at yale.edu]
Sent: Wednesday, August 20, 2003 1:20 PM
To: Pollock, Joseph
Cc: 'unisog at sans.org'
Subject: Re: [unisog] sobig.f SMTP hosts?


 From what I've seen of the Sobig.F mail 'server' (SMTP
outgoing engine) it appears to function as a 'smart' host
(e.g. it can do full DNS resolution, finds MX records, etc)
and it therefore doesn't need the services of a smarter
SMTP server but can function fine completely standalone
(e.g. it doesn't appear to use the SMTP host setting on
the user's email client).

H. Morrow Long, CISSP
Director - Information Security
Yale University, ITS

Pollock, Joseph wrote:

> Like everyone else, we're seeing a lot of sobig.f delivered to the campus.
> I've looked at the tech descriptions from the major antivirus vendors, and
> they all agree that the virus has its own SMTP engine, but unlike some
> previous advisories, there is no list of SMTP servers used by the virus.
> 
> Is this one using the SMTP host confgured on the victim's machine?  If
this
> is the case, a number of my users may be able to contact the infected
> machine's owner.  If this is not the case, I don't want them to waste
their
> time trying.
> 
> Joe Pollock
> Network Services
> The Evergreen State College



More information about the unisog mailing list