On Sun, Sep 14, 2003 at 01:24:41AM -0700, Abigail Marshall wrote: > computer. Most of these were DLS or cable modem id's - I > figured it would be an easy matter for the ISP to monitor > usage, see the problem, and simply shut down the problem
That is consistent with Sobig behaviour. http://www.lurhq.com/sobig-e.html reports the following: Sobig.d - Those who were tracking the Sobig variants knew that the author would probably stop using Geocities at this point. They were right - the next variant released a couple of weeks later used a stronger encryption algorithm, and no longer contained references to Geocities, or any other URL. The author moved to a slightly more sophisticated and covert method of getting the information needed in order to prevent the download sites from being shut down too quickly. Between 7:00 pm and 11:59 pm UTC, the worm would periodically send a packet on UDP port 8998 to a list of 22 IP addresses contained in the executable's encrypted strings. The packet contained an 8-byte key identifying itself as coming from a Sobig infectee. These IP addresses were all on cablemodems, some or all of which were probably hacked either by the author or the author's cohorts to serve answers to these incoming packets. Upon receiving the magic packet on port 8998, some of the cable host servers returned garbage strings as a further subterfuge, but others returned an encrypted URL. Upon receiving the reply, Sobig.d would decrypt the URL and retrieve a file from that site. This file was the second stage payload. >> There is no way to shut such machines off at the source in >> order to protect the remaining network and to give the >> machines owners opportunity correct the mishaviour of their >> machinery. > Well, there is a way if the ISP wants it. I mean, as noted > above, I reported the IP numbers to the abuse department - the > ISPs obviously can shut down any IP they want. Yes, and as you experienced, that mechanism involves to much manual work on all sides and does not scale at all. And _that_ is precisely the problem, as it is with almost all system and network administration problems. Of course it is not a problem to identify and report a single IP, nor is it an effort to shut down a single cable modem. The very same thing becomes a completely different problem if you try it for 100, 10000 or 1000000 modems, IPs, users or whatever (http://www.amazon.com/exec/obidos/tg/detail/-/0201702711/ discusses that problem in great depth and from a lot of different angles - very much recommended read for anyone working n that area). There is need for a 100% automated reporting mechanism that integrates with _all_ ISPs, uses a documented standard protocol so that there can be a lot of independent implementations that are nonetheless interoperable, and that are part of the system management software any ISP uses, indepenent of what particular brand or vendor provided equipment. I do not propose automatic shutdown of remote IPs, that would open to many opportunities for DDoS. But a mechanism that allows me to file a complain against an IP, automatically selecting the correct upstream provider and propagating my complaint into equipment that automatically identifies the offending component at that ISPs network, informs the relevant parties at that site and enables them to look into the problem without longish internal procedures would be a great help for all parties involved. > It may not exist yet, but I think it is very feasible > technology. So do I. And Sobig makes a great point in emphasising how much need there is for such a system. It can help control virii, spam, and many other network wide, provider spanning problems. Kristian ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
