Progress made toward shutting down SoBig servers

Progress made toward shutting down SoBig servers

Less than an hour before hundreds of thousands of computers infected by the latest Sobig worm were supposed to begin contacting compromised servers for further instructions, most, if not all, of the targeted servers have been shut down.

'A whole bunch of them are no longer available,' said Dan Ingevaldson, engineering manager of the X-Force security service of Internet Security Systems of Atlanta.

A recent scan by Government Computer News of the targeted IP addresses showed no response from 16 of them. Four addresses, three in Canada and one in the United States, appeared to still be available.

Mikko Hypponen, director of antivirus research at F-Secure Corp. in Finland, said shortly after 2 p.m. that all seemed to be shut down.

Sobig.F has infected hundreds of thousands of computers this week through e-mail attachments, and flooded networks in its attempts to replicate. Security firms found an encrypted payload set to activate this afternoon.

The worms are set to synchronize themselves from a Central time source and execute the payload code at 3 p.m. Eastern time, noon Pacific time. Each worm was to contact one of 20 infected computers in the United States, Canada and South Korea and receive a Web address. The infected machines would then download and run a program from that address.

'We put the word out,' Ingevaldson said of the compromised servers. 'We hope that the service providers are filtering or unplugging the machines.' He added, 'Law enforcement may be involved at this point.'

Both the Homeland Security Department and the CERT Coordination Center at Carnegie Mellon University said they were aware of the second-phase SoBig attack and were monitoring the situation but would not comment on specific actions.

The targeted servers seemed to be randomly located home PCs with broadband connections, security officials have said. IP addresses for them are registered to service providers including AT&T Corp., Charter Communications Inc. of St. Louis, EarthLink Inc. of Atlanta, Time Warner Cable Inc. of Atlanta, Comcast Corp. and Sprint Corp. in this country; Bell Canada and Le Groupe Videotron in Canada; and Dacom Boranet in South Korea.

So far there have been no indications of the nature of the instructions or payload the worms were to download.

'Unfortunately, we don't know what this thing will be that is set to be downloaded,' said Dee Liebenstein, group product manager for Symantec Security Response, a part of Symantec Corp. of Cupertino, Calif. 'That is a mystery to us.'

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • robot typing on laptop (Zapp2Photo/Shutterstock.com)

    GSA to agencies: Tap MGT for emerging tech

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group