[unisog] sobig.f SMTP hosts?

Russell Fulton r.fulton at auckland.ac.nz
Wed Aug 20 20:35:35 GMT 2003


On Thu, 2003-08-21 at 06:30, Pollock, Joseph wrote:
> Like everyone else, we're seeing a lot of sobig.f delivered to the campus.
> I've looked at the tech descriptions from the major antivirus vendors, and
> they all agree that the virus has its own SMTP engine, but unlike some
> previous advisories, there is no list of SMTP servers used by the virus.

The virus uses MX records which it gets by doing DNS lookups. I have
been picking up infections really quickly by analysing outbound DNS
traffic and looking for user machines that are talking to the root name
servers.  All but a handful of machines are configured to use our local
DNS servers so sobig infections stand out.

My watcher program actually picks them up as outbound scans on port 53.

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list