Sophos has published this page to provide helpful links to the
very latest information about the W32/Sobig-F worm. Please
bookmark this page and return often to see the very latest news and
developments.
Timeline
22:00 GMT, 22 Aug 2003 - Attack phase ends: Computers infected with
W32/Sobig-F stop attempting to communicate with the remote IP
addresses. Sophos's team of researchers will continue to monitor
the situation over the weekend, and will update this page if there
are any updates during Sunday's attack phase.
21:05 GMT, 22 Aug 2003 - Out of the 20 IP addresses
referenced inside the code of the W32/Sobig-F worm, only one is
currently responding. That IP address has been traced by Sophos
researchers to Verona, New Jersey. However, there is no indication
that the worm is successfully communicating with it and so no
malicious downloads appear to be occurring. There is less than an
hour to go before the worm will stop trying to download an update
from the internet. Sophos's team of virus experts continues to
monitor the situation.
20:09 GMT, 22 Aug 2003 - Sophos has received no reports
from users who have downloaded new malicious content to their
computers via the W32/Sobig-F worm. Sophos's team of virus experts
continues to monitor the situation.
19:46 GMT, 22 Aug 2003 - Sophos reports that 400,000
instances of the W32/Sobig-F worm have attempted to break through
its email system since midnight.
19:00 GMT, 22 Aug 2003 - Attack phase begins: Computers infected with
W32/Sobig-F begin to attempt to communicate with the IP addresses
encrypted inside the worm. Some of the IP addresses are no longer
available, and there are unconfirmed reports that the FBI and Royal
Canadian Mounted Police have assisted in having some computers
disconnected from the web.
15:15 GMT, 22 Aug 2003 - Sophos experts advise network and
system administrators on how they can take immediate action to
prevent the worm from downloading potentially malicious updates
from the internet.
11:45 GMT, 22 Aug 2003 - Sophos begins to contact the
owners of IP addresses referenced inside the W32/Sobig-F worm. This
involves contacting network administrators and computer owners in
several countries including USA, Canada and Korea.
11:29 GMT, 22 Aug 2003 - Sophos warns that W32/Sobig-F is
preparing to launch a second-wave attack by attempting to download
code from the internet from 19:00-22:00 GMT (8pm-11pm UK time).
19 Aug 2003 - Sophos issues protection against the
W32/Sobig-F worm. Enterprise Manager
customers are automatically updated. Sophos
MailMonitor for SMTP users who had deployed threat reduction
technology were already protected.
Important
informationW32/Sobig-F uses the Network Time Protocol (NTP) to access one
of several servers in order to determine the current date and
time.
If the time returned by the NTP server is between 19:00 and
22:00 UTC+0 (which is 8pm-11pm UK time) on Friday or Sunday,
W32/Sobig-F sends a UDP packet to port 8998 of a remote server.
This feature could be used to download and run a Trojan or
additional worm components.
If the date is 10 September 2003 or later the worm stops
working.
To prevent malicious code from being downloaded by
W32/Sobig-F, Sophos strongly recommends that customers consider
configuring company firewalls so outgoing connection attempts to
UDP port 8998 are blocked.
Customer should consult their firewall documentation,
or contact their firewall provider for assistance in implementing
this configuration change.
Read
information about how to disinfect the W32/Sobig-F and protect
yourself against attack.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.