SoBig Encore Not Likely, Say Experts

 
 
By Dennis Fisher  |  Posted 2003-08-27 Print this article Print
 
 
 
 
 
 
 

Anti-virus experts downplay recent claims that there is a second hidden cache of data in the worm's code that directs infected computers to contact a group of mail and name servers owned by an AOL Time Warner subsidiary.

Anti-virus experts are downplaying recent claims that there is a second hidden cache of data in the SoBig worms code that directs infected computers to contact a group of seven mail and name servers owned by an AOL Time Warner Inc. subsidiary. Officials at BitDefender, a unit of Softwin SRL in Bucharest, Romania, said on Tuesday that they had found a second set of encrypted server addresses in the code of the eminently annoying SoBig.F worm. All of the server names appear to belong to Time Warner Telecom Inc. "The code is quite straightforward and accurately indicates that the virus asks for information at this address, waits for the answer and than runs the downloaded file on the infected host," said Mihai Chiriac, a virus researcher at BitDefender. "As for the moment, there is no information at any of these addresses; we cant predict the codes effects."
BitDefenders claims come less than a week after a similar warning from several anti-virus companies touched off fears that the hundreds of thousands of SoBig-infected machines would all contact one of 20 PCs whose IP addresses were hidden in the worms code. Once connected to one of the PCs, the infected machines would download an unknown file and experts worried the action could be the precursor to a large-scale secondary attack.
But security specialists were able to locate and take down most of the 20 PCs before the hour at which the infected computers were supposed to begin their downloads. Despite the revelation of the additional server names in the worms instructions, anti-virus experts say there is little reason to get worked up. Ian Hameroff, eTrust security strategist at Computer Associates International Inc., in Islandia, N.Y., said the discovery of the server names is "nothing special" and does not constitute a "hidden treasure trove." Specialists in CAs anti-virus lab said the server names could simply be part of SoBig.Fs e-mail spreading routine. Time Warner Telecom, based in Littleton, Colo., is a provider of broadband optical networks for enterprises.
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel