How to stop the next mutation of Sobig.F

Tuesday 26 August 2003 at 20:02

Mixed in with the spam bounces from some vile spammer I'm also getting bounces originating from Sobig F along with lots of mail with attached .pif files. I know how to stop it. (spread the word :-)

According to Symantec's security response for Sobig.F

Sobig.F can download arbitrary files to an infected computer and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.F attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it.

There are 20 specific computers on the net which Sobig.F will contact to determine the URL of a file to download. Last week the antivirus community shutdown the 20 servers before any additional damage could be done. But it didn't take long for some bad guy to introduce a variant of Sobig.F which addresses this weakness.

The new Sobig.F variant contains an encrypted list of the names of seven servers operated by Time Warner Telecom (TWT)... Two of the servers are SMTP ... servers, ... the other five [are] apparently domain name servers.

I substantially snipped that quote to draw attention to the use of SMTP and especially DNS. The new strain no longer hard-codes the ip addresses of a finite number of servers. Instead it's hard-coded seven domain names. It implies there will be secondary attacks where the bad guys will crack DNS servers, or more likely Active Directory servers, so that they can control the IP addresses that are mapped to the Time Warner domain names.

The bad guys are breeding a virus that actively looks for mutations of itself. That ought to scare the hell out of you.

Here's how to stop it. Sobig is looking to download and execute code from some server. The mutations are playing games to allow the bad guys to control where that server is. Use their own code against them. Change your DNS servers to point the Time Warner addresses (with my apologies to Time Warner) to a server you control. Put a Sobig uninstaller there and let the viruses dutifully remove themselves from the infected systems.

That won't be the end of it. Viruses and immune systems evolve together. Every mutation in one creates selective pressures on the other. This process will continue indefinitely and we are going to see some truly nasty viruses in the future. Microsoft might now be genuinely concerned about tightening their security, but the world is still going to be suffering the consequences of their many years of monopoly laziness for a long time to come.

The best hope we have to limit the damage future viruses can cause is to rebuild our computer world with diverse operating systems and software. The Windows mono-culture is enormously vulnerable, both for its size and for Microsoft's past sins. The more Windows users who switch to any other operating system the better. We can pretty much count on the fact that not everyone is going to switch. So there's little danger that some other OS will take Window's place. Optimistically, if Windows were only 30% of the market with Solaris, Mac OS, Linux, FreeBSD, OpenBSD, and others splitting the rest of the market, we'd be in a much better position as far as viruses are concerned.

Here's an incentive to you reluctant Windows users: you can switch today and live in a much less hostile computing ecosystem.