Progress made toward shutting down SoBig servers

Progress made toward shutting down SoBig servers

Less than an hour before hundreds of thousands of computers infected by the latest Sobig worm were supposed to begin contacting compromised servers for further instructions, most, if not all, of the targeted servers have been shut down.

'A whole bunch of them are no longer available,' said Dan Ingevaldson, engineering manager of the X-Force security service of Internet Security Systems of Atlanta.

A recent scan by Government Computer News of the targeted IP addresses showed no response from 16 of them. Four addresses, three in Canada and one in the United States, appeared to still be available.

Mikko Hypponen, director of antivirus research at F-Secure Corp. in Finland, said shortly after 2 p.m. that all seemed to be shut down.

Sobig.F has infected hundreds of thousands of computers this week through e-mail attachments, and flooded networks in its attempts to replicate. Security firms found an encrypted payload set to activate this afternoon.

The worms are set to synchronize themselves from a Central time source and execute the payload code at 3 p.m. Eastern time, noon Pacific time. Each worm was to contact one of 20 infected computers in the United States, Canada and South Korea and receive a Web address. The infected machines would then download and run a program from that address.

'We put the word out,' Ingevaldson said of the compromised servers. 'We hope that the service providers are filtering or unplugging the machines.' He added, 'Law enforcement may be involved at this point.'

Both the Homeland Security Department and the CERT Coordination Center at Carnegie Mellon University said they were aware of the second-phase SoBig attack and were monitoring the situation but would not comment on specific actions.

The targeted servers seemed to be randomly located home PCs with broadband connections, security officials have said. IP addresses for them are registered to service providers including AT&T Corp., Charter Communications Inc. of St. Louis, EarthLink Inc. of Atlanta, Time Warner Cable Inc. of Atlanta, Comcast Corp. and Sprint Corp. in this country; Bell Canada and Le Groupe Videotron in Canada; and Dacom Boranet in South Korea.

So far there have been no indications of the nature of the instructions or payload the worms were to download.

'Unfortunately, we don't know what this thing will be that is set to be downloaded,' said Dee Liebenstein, group product manager for Symantec Security Response, a part of Symantec Corp. of Cupertino, Calif. 'That is a mystery to us.'

About the Author

William Jackson is a Maryland-based freelance writer.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected