Contact Us
Sobig.f Examined
- URL: http://www.secureworks.com/research/threats/sobig-f
- Date: August 25, 2003
- Author: Joe Stewart
On Tuesday, August 19, users across the Internet noticed an increasing flurry of suspicious emails. Sobig.f had set new records in the sheer quantity of email traffic for any single worm variant. This new, more prolific variant was a result of some programming fixes. Instead of trying to send emails one at a time, Sobig.f uses "threading" to allow it to send 7 emails at the same time. The overwhelming number of copies of this worm in people's inboxes showed the improved efficiency. However, many of those copies were likely sent from the same few addresses, so appearances are not always what they seem. In spite of the flood of worm emails, this variant was probably 100% ineffective at achieving its goal.
The goal of course, is to create spam proxies, as outlined in the two previous papers Sobig.a and the Spam you Received Today and the follow-up paper Sobig.e - Evolution of the Worm. If you haven't read these papers, you should stop now and do so- there is a great deal of complexity to the Sobig worm family, and it has evolved over time. In this paper, we will deal primarily with the changes since Sobig.e.
Sobig.f was actually released on Monday August 18. Unfortunately, since the worm author's specific distribution method was revealed to the press, it is likely that the next worm will not use the same distribution method, losing AV companies valuable time in the race to inoculate users. Since Sobig.f did not deliver its final payload, it is certain that Sobig.g will soon follow.
At first glance, it would seem that the worm would have been massively effective. By Tuesday the worm was already spreading from thousands of computers world-wide. The problem was, the second-stage download routine was timed to occur on Friday the 22nd - giving law enforcement the head start they needed to shut down the "master" servers whose IP addresses were encrypted in the body of Sobig.f.
All but one of the master servers were shut down by the Friday 3:00pm EDT deadline. The one remaining server was shut down shortly thereafter, but it never "went live", that is, it never contained a valid URL for the second-stage trojan download. The URL that was returned by default was www.sex.com/dot/com, but that was a decoy, used as a placeholder until the real download URL could be inserted by the Sobig author. The week of lead-time will likely not be part of Sobig.g. There will likely be more hacked "master" servers in the next version, spread across many countries, and not enough time to have them all shut down.
Some AV companies reported that the list of master servers could be updated remotely via special UDP packets sent on port 995-999. This was actually not the case; Sobig.f does not listen on these ports (although Sobig.e had). The fact that the second-stage download did not occur is evidenced by the huge quantities of people still sending out worm-infected emails on the following Monday. Historically, every version of Sobig has removed its spreading component after the second-stage download is complete. So once the second-stage is in place, you will no longer see the emails being sent from a host.
Some reports also indicated that we didn't know what "mystery code" would be downloaded by Sobig.f. This is not true for anyone who has been following the evolution of the Sobig worm family. So far every variant has done a second stage download of the Lala trojan. This is an integral part of what makes Sobig; the worm itself it only one part of a larger picture. Stage three has always been a Wingate proxy. This has not changed since the worm's first incarnation.
Even though we do not have the code that was supposed to be downloaded this time, we can tell through anecdotal evidence that the proxy server ports have changed. Not only does a worm's release sometimes trigger a change in the Wingate proxy ports, but the ports will be updated on proxy hosts that were infected with previous variants.
The updated ports are now:
- Port 2555 - RTSP Streaming Media Proxy
- Port 3001 - Remote Control Service
- Port 3380 - SOCKS Proxy server
- Port 3381 - Telnet Proxy server
- Port 3382 - WWW Proxy server
- Port 3383 - FTP Proxy server
- Port 3384 - POP3 Proxy server
- Port 3385 - SMTP Server
Other than the changes described above, Sobig.f is much like Sobig.e. Sobig.g will probably be much more effective than any previous variant, as the author continues to learn from his/her mistakes. Hopefully the added exposure this variant has received will prompt people to be more careful about opening attachments; after all, this worm cannot spread without manual interaction of end users. Hopefully they'll do a better job at not clicking on Sobig.g.
