Just when you thought it was safe to go back on the Internet, anti-virus experts are warning that PCs infected by the SoBig.F worm may on Friday become part of an as-yet unknown attack.
Experts at both Sophos Inc. and F-Secure Corp. say that the worm is programmed to automatically connect to one of several machines controlled by the worms creator. Once the connection is established, the worm will download and execute an unknown piece of code. Its not known what the program is designed to do, but experts fear it may involve a massive distributed denial-of-service (DoS) attack or something similar.
The downloads are set to commence at 3 p.m. EDT Friday and end three hours later.
Officials at Symantec Corp., in Cupertino, Calif., said that as of about 5:15 EDT Friday, 17 of the 20 servers that SoBig-infected PCs are programmed to contact are not responding. The remaining three machines are redirecting visitors to an adult Web site. Despite fears that the mass of infected PCs attempting to contact those servers would disrupt Internet traffic, measurements taken by Keynote Systems Inc., in San Mateo, Calif., show that so far there has been no effect on the overall performance of the global network.
Experts at both Sophos Inc. and F-Secure Corp. say that the worm is programmed to automatically connect to one of several machines controlled by the worms creator. Once the connection is established, the worm will download and execute an unknown piece of code. Its not known what the program is designed to do, but experts fear it may involve a massive distributed denial-of-service (DoS) attack or something similar.
“The main effect of SoBig.F to date has been to slow down the Internet with the sheer quantity of e-mails it has generated,” said Chris Belthoff, senior security analyst at Sophos, based in Lynnfield, Mass. “After 3 p.m. today, most U.S. companies will be winding down their day and starting their weekend, and any infected computers that are left on have the potential to become zombies, doing whatever the virus writer wants. If the writer of SoBig succeeds in installing a Trojan on infected PCs, users could be in for a nasty shock when they return to work on Monday.”
Sophos suggests that enterprises block outgoing requests on UDP port 8998 to help prevent the download activity. Security experts said that the machines that the infected PCs are instructed to contact appear to be previously-compromised home machines hooked up to broadband connections. Sophos officials are trying to contact the owners of the machines to warn them of the impending problem. The PCs are scattered across the United States, Canada and South Korea.
Anti-virus experts discovered the following list of 20 IP addresses in an encrypted portion of the SoBig.F body earlier this week:
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96
Although the download times are coded into the worms instructions, its unclear when—or even if—any attack involving infected machines might begin. Theoretically, such an attack could begin any time after the program has been downloaded. Or, the attacker could wait weeks or months, biding his time until most people have fogotten about the worm.
But, by then, the worm may be eradicated from many of the PCs that are infected right now.
(Editors Note: This story has been modified since its original posting to include updates on the attack from Symantec and Keynote.)