Who Wrote Sobig?

Opinion: It was the greatest e-mail worm of its era (meaning last year), but its real role was to help spammers hide their identities. Guess who might have written it?

Sobig hit the world on Aug. 18, 2003, and was an immediate success. The sixth variant, Sobig.F, may have been the most successful endemic mass-mailer worm. Estimates of the damages it caused were in the tens of millions of dollars, and the reward posted for the author was similarly fat.

Anonymous authors have released a document detailing forensic efforts to identify the author of this worm. They say that they hope to assist law enforcement efforts by releasing details and to demonstrate to the public how forensic techniques may be used to identify the authors of these attacks. They also say they stayed anonymous to keep the focus on Sobig and not them.

I was surprised to see that they identified a specific person. According to the paper, "... Ruslan Ibragimov of Moscow, Russia, and/or Ibragimovs development team, authored the Sobig virus. Ibragimov himself is the author of Send-Safe, a bulk mailing tool product that was explicitly designed for sending unsolicited email (spam)." Ibragimov has vehemently denied being the author of Sobig.

Whether he wrote Sobig or not, Ibragimov is an easy character to dislike. He is the proprietor of the Russian company Send-Safe, maker of quality spamming tools. (Please read about his products; theyre good blood-boiling material irrespective of this Sobig stuff. I especially seethed at his "Bulk IM" products.)


As the authors of the anonymous paper point out, Sobig was designed for exploitation by spammers. It was the first (to my knowledge) big e-mail worm to create backdoors to allow spammers to hijack systems for use as mail proxies.

The authors assert that the releases of Send-Safe and the releases of Sobig appear coordinated and indicate that the author of one had advance knowledge of the work of the other. Many of the programming skills necessary to write Sobig, the report authors say, are the same as those Ibragimov or his team used to write Send-Safe. Most damning, they say that large opcode sequences (meaning the machine instructions in the program) in Sobig and Send-Safe are identical, including many having specifically to do with sending e-mails.

Finally, why would Ibragimov do this? According to the report authors: "As Send-Safe provides a list of open proxies to subscribers, there is a clear financial motive for Ibragimov to have created the Sobig worm." Oy!

The rest of the report consists of specific evidence backing up these assertions. For instance, the report notes releases of Send-Safe that utilize features in new versions of Sobig and then use of those features by spammer groups that use Send-Safe. It notes specific programming techniques that are common between the two programs. Most of the 48-page report is actually file dumps that are only interesting if you want to replicate the work done in the report.

I cant verify the specific claims; I dont have access to all the software and data they have, but if their factual claims are accurate, then their conclusion that Ibragimov is involved is hard to dispute.

Next page: Sobig forensics in the past.