Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Sobig.f surprise attack today

  • From: Austad, Jay
  • Date: Fri Aug 22 17:43:15 2003

I don't think the purpose was to DoS them.  It looks like some of them were
hosts on Comcast's cable network, probably some user machines being used to
host the second part of the payload.

I just want to know what the second part of this thing does.  It's better
than watching TV.  :)

> -----Original Message-----
> From: Mark Segal [mailto:MSegal@Corporate.FCIBroadband.com]
> Sent: Friday, August 22, 2003 4:05 PM
> To: 'netadm'; 'nanog@merit.edu'
> Subject: RE: Sobig.f surprise attack today
> 
> 
> 
> My questions is what were those servers.. Was the purpose to denial of
> service attack them?  If so we just assisted that.. :)
> 
> mark
> 
> 
> --
> Mark Segal 
> Director, Network Planning
> FCI Broadband 
> Tel: 905-284-4070 
> Fax: 416-987-4701 
> http://www.fcibroadband.com
> 
> Futureway Communications Inc. is now FCI Broadband
> 
> 
> -----Original Message-----
> From: netadm [mailto:netadm@infolink.com] 
> Sent: August 22, 2003 3:50 PM
> To: nanog@merit.edu
> Subject: RE: Sobig.f surprise attack today
> 
> 
> 
> From http://www.f-secure.com/v-descs/sobig_f.shtml
> -----------------------------------------------------------------
> Update on 19:00 UTC 
> 
> When deadline for the attack was passed, one machine was still
> (somewhat) up. However, immediatly after the deadline, this 
> machine (located
> in the USA) was totally swamped under network traffic. 
> 
> We've tried connecting to it, just like the virus does. We do 
> this from
> three different sensors from three different machines in 
> three different
> countries. We haven't been able to connect to it once. If we 
> can't connect,
> neither can the viruses. 
> 
> So the attack failed. Whoa. 
> 
> We'll keep monitoring until 22:00 UTC. If we're not able to 
> connect once, we
> can safely say that the attack was prevented. 
> 
> 
> -----Original Message-----
> From: Andrew Kerr [mailto:andrew_kerr@iamnos.ca] 
> Sent: Friday, August 22, 2003 3:43 PM
> To: Jay Hennigan
> Cc: nanog@merit.edu
> Subject: Re: Sobig.f surprise attack today
> 
> 
> 
> Jay Hennigan wrote:
> > On Fri, 22 Aug 2003, Andrew Kerr wrote:
> > 
> > 
> >>Its been posted here, and f-secure has it, but I wrote a 
> quick script
> >>to keep an eye on the 20 servers and dump the output to a 
> simple page:
> >>
> >>http://207.195.54.37/sobig.html
> >>
> >>(Updates about every 5 mins)
> > 
> > 
> > You're probing the list of NTP servers the worm uses to get 
> the date,
> > not the list of hosts to which it "phones home".
> > 
> 
> 
> A few people pointed that out.  By the time this message hits 
> the list, 
> it should be corrected.
> 




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.