Sobig Phase 2 ?
Results 1 to 4 of 4

Thread: Sobig Phase 2 ?

  1. #1
    Senior Member
    Join Date
    Apr 2002

    Question Sobig Phase 2 ?

    I've noticed a huge jump in the last 1 1/2 hours some 314 hits at the fire wall while some are the Welchia worm most are a wide TCP scan of all ports. Then again may be my ISP they were hit big but I'd guess Sobig had an alt on those 20 IP addys. Anyone else see the spike?
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Yea, federal officials "claim" to have shut down the 2 dozen or so servers coordinating the "second wave."

    I dunno though, they might've not shut them all down...
    It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.

    Hit it!

  3. #3
    Senior Member
    Join Date
    Jul 2003
    just out of interest, how does the phase 2 work?

    i know that at a certain time the worm trys to download a program from 1 of 20 different computer on a broadband connection,

    so if this is the case why havent they just decompiled the code and found the location that its gonna be calling from?

    or have they comprimised a few servers around the globe and using them as a form of proxy? and they done this to quite a few so that it will take them a while to trace back though the servers to find them??



  4. #4
    Join Date
    Sep 2002
    The idea with phase two was that the virus uploaded a key to one of the twenty servers. This then replied with the real address of the phase two virus (in the form of a URL). However, until the download time (8pm GMT) these 20 servers had the wrong URL (purposefully). This meant that the 'real' virus couldn't be found and analysed before it was downloaded and run.

    The list of the 20 URL servers were stored in the program in an encrypted list, to slow/stop the authorities from shutting them down. However this was decrypted and the list of the 20 URL servers can be found here .
    \"Death is more universal than life; everyone dies but not everyone lives.\"
    A. Sachs

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts