[unisog] http://www.f-secure.com/news/items/news_2003082200.shtml

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Aug 22 18:45:40 GMT 2003

On Fri, 22 Aug 2003 09:42:19 PDT, Mike Iglesias said:
> > http://www.f-secure.com/news/items/news_2003082200.shtml
> It would be nice to get the list of 20 "pre-hacked" machines that Sobig-F
> is going to contact so people can block them at their border router.
> Anyone have the list?

Apparently half have been taken down already, but only 1 needs to be up to
make things bad.

Also, a router ACL only means any of YOUR boxes won't phone home - we don't
know yet what will be inbound from infected machines that do make it home...

Computers infected with the Sobig.F worm are programmed
to automatically download an executable of unknown function
from a hard-coded list of servers at 19:00 UTC (3:00pm EDT)
X-Force is recommending wholesale outbound filtering of
the following IP addresses:

The request method uses UDP port 8998. X-Force also
recommends that this port be filtered outbound.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030822/d9b49c6b/attachment-0003.bin

More information about the unisog mailing list