Sophos experts have advised network and system administrators
that they can take immediate action to prevent the W32/Sobig-F worm from
downloading a potentially malicious update from the internet.
The worm contains a list of encrypted IP addresses inside its
code, which the Sobig-F infected computers use to signal their
availabilty for an update. Infected computers will communicate with
the IP addresses on UDP port 8998. They will also be listening on
UDP ports 995-999 - perhaps in readiness for the updates to
arrive.
Sophos analysts have decrypted the list of IP addresses and have
reproduced it below:
12.158.102.205
12.232.104.221
24.33.66.38
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
61.38.187.59
63.250.82.87
65.92.80.218
65.92.186.145
65.95.193.138
65.93.81.59
65.177.240.194
66.131.207.81
67.9.241.67
67.73.21.6
68.38.159.161
68.50.208.96
218.147.164.29
Sophos has attempted to contact the owners of the IP addresses,
and some of the administrators have already taken action to block
infected computers from communicating with them.
Sophos advises companies, major ISPs and internet backbone
providers to consider blocking all access to the above list of IP
addresses, as this will protect infected users on their network
from receiving updates to W32/Sobig-F.
Another approach would be for network and system administrators
to consider blocking NTP requests (except to trusted servers) so
their infected computers do not know it is time to try and find the
malicious update.
Administrators should also consider eliminating or restricting
outbound use of UDP port 8998.
Customers should consult their firewall documentation, or
contact their firewall provider for assistance in implementing
these configuration changes.
Sophos has published more information about how
to disinfect computers and prevent the Trojan download.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.