Second and Third Stage SoBig Worm Infections Imminent
Date: Friday, August 22 @ 12:00:00 CEST
Topic: Security


ID#204970 High Threat 8/22/2003@11:55:38GMT

Title: Second and Third Stage SoBig Worm Infections Imminent

Abstract: The second and third stage attacks of the highly prevalent
SoBig.F worm are set to strike Aug. 22 and 23 from 3 to 6 p.m. EST
(1900-2200 UTC/GMT). Unbeknownst to most individuals, SoBig worms
actually infect computers in three distinct phases.

Description: The second and third stage attacks of the highly prevalent
SoBig.F worm are set to strike Aug. 22 and 23 from 3 to 6 p.m. EST
(1900-2200 UTC/GMT). Unbeknownst to most individuals, SoBig worms
actually infect computers in three distinct phases. If successful,
computers are infected with a backdoor Trojan and proxy server.

The Three Stages of SoBig

The first phase is the aggressive seeding and spreading of SoBig worm
code through e-mail and through open network shares. The second stage is
the installation of a backdoor Trojan horse. The third stage is the
installation of a proxy server on the infected computer.



Updates to the SoBig Family

SoBig worms all have the same general characteristics. Each variant has
been updated in various ways to avoid anti-virus detection of software
installed, to avoid rapid shutdown of remote websites hosting code, to
fix bugs in the code and to add new features. For example, SoBig.F
doesn't accidentally truncate the extension of the e-mail attachment and
has a multi-threaded SMTP engine for aggressive distribution of the
code. Perhaps the most important update regarding the installation of
additional malicious code is the change in the downloader component of
SoBig, seen in SoBig.D.

SoBig Downloader Component

SoBig.A had a simple downloader component. It simply checked the local
time of the computer and, when conditions were right, attempted to
retrieve a text file from a remote website. This website was hardcoded
into the worm code. Upon visiting this website early in the outbreak it
contained no data. However, a short time later analysts found a URL that
pointed to another server that hosted a backdoor Trojan horse. Worse, a
few hours later another URL appeared, pointing to a cracked copy of
WinGate to install a proxy server on the infected computer.

The idea behind the sequential downloader attack is simple. Infect a
large number of computers quickly using standard worm techniques. Then
install a backdoor Trojan to steal cached password data and gain remote
backdoor access to infected computers. This also enables the attacker to
database the IP addresses of all infected computers via the Trojan horse
notification. The third stage of infection is then used to infected
computers that are still online with a proxy server so that these
computers can be used to tunnel through to protect the identity of the
author, send out spam or seed malicious code into the wild.

Significant Changes to the Downloader Component

The problem with a downloader solution like this is that it relies
heavily upon the website(s) hardcoded into the malicious code. Once
security experts identify such remote websites, such sites are rapidly
removed from the Internet. Once removed, the author of SoBig is no
longer able to update computers with backdoor Trojan horse programs or
the proxy server. When SoBig.D came out in June 2003, about six months
after the first variant of SoBig, it changed tactics regarding the
downloader component.

SoBig.D did not use Geocities websites for the attack but used victim
computers instead. By identifying infected computers that always have
the same IP address, the author of SoBig was able to use them as file
servers for his secondary and tertiary attacks. It's much more difficult
to shut down the service to a subscriber than it is a Geocities website.
Additionally, multiple URLs can quickly be seeded to the downloader
addresses, pointing to multiple secondary file servers.

SoBig.F Attacks Pending

SoBig.F has 20 different high-speed IP addresses of various victims
included in the code. When SoBig.F secondary and tertiary conditions are
met, these computers are then infected with new malicious code. Instead
of using the local time, which is often incorrect, SoBig.F gathers the
date and time from remote NTP servers. This way every single infected
computer is performing coordinated downloads at the exact same time so
that the malicious actor carefully controls the rollout of a backdoor
Trojan and proxy server to infected SoBig computers.

As of Friday, Aug. 22, 2003, at 1900-2200 UTC hours (3 - 6 PM EST), the
SoBig worms will begin to communicate with the 20 victimized computers
with encrypted communications. At that time a backdoor Trojan horse will
likely be installed on all SoBig-infected computers. On Sunday, Aug. 24,
2003, for the same period, this process is repeated and will likely
result in the installation of the WinGate proxy server, customized for
malicious purposes. iDEFENSE is working closely with authorities in an
attempt to remove access to these 20 computers to help prevent the
installation of new malicious code on SoBig-infected computers.

Alias: SoBig, Win32.Sobig.f, W32.Sobig.F@mm, Sobig.F, W32/Sobig.f@MM,
WORM SOBIG.F

Analysis: SoBig.F is the fastest spreading and most widespread worm to
date, at least based on total interceptions. However, total
interceptions don't accurately reflect the total number of computers
infected with the worm. One computer may repeatedly perform mass
mailings to generate literally thousands of infected e-mails within a
short period. Millions of interceptions of SoBig.F have been made in the
first 36 hours of the outbreak, but a much smaller number of computers
are likely infected.

Several hundred thousand computers are likely infected with SoBig worms
to date. The malicious actor responsible for SoBig can remotely control
formerly infected computers as well as newly compromised computers ?

Detection: Remove all files associated with this malicious code threat.
Restore corrupted or damaged files with clean back-up copies. Restore
files potentially overwritten by the worm. Validate functionality of all
anti-virus and security-related software. Harden all accounts and
passwords against attack. Also look for Lala/Hooker and WinGate software
packages potentially installed by the SoBig worm, in addition to other
malicious codes.

Recovery: Remove all files associated with this malicious code threat.
Restore corrupted or damaged files with clean back-up copies. Restore
files potentially overwritten by the worm. Validate functionality of all
anti-virus and security-related software. Harden all accounts and
passwords against attack.

Workaround: Configure e-mail servers and workstations to block the file
types BAT, EXE, PIF, SCR, UUE, VBS, ZIP and others that are commonly
used by malicious code to spread to other computers. Carefully manage
all new files, scanning them with updated anti-virus software using
heuristics prior to use.

Simply blocking SCR and PIF e-mail attachments will likely effectively
block the e-mail component of this worm. Limit network shares as much as
possible to protect against the network shares component of this worm.
Especially avoid sharing startup directories and startup files that may
be exploited by such malicious code.

Vendor Fix: Multiple anti-virus vendors have released updated signature
files to protect against this malicious code. However, former variants
of SoBig worms have released new, undetected variants of the Lala/Hooker
worm.

-----------End Report





This article comes from NukeCops
http://www.nukecops.com

The URL for this story is:
http://www.nukecops.com/modules.php?name=News&file=article&sid=544