[61082] in North American Network Operators' Group
RE: Sobig.f surprise attack today
daemon@ATHENA.MIT.EDU (Todd Mitchell - lists)
Fri Aug 22 14:14:07 2003
From: "Todd Mitchell - lists" <lists@ciphin.com>
To: <jdawson@flexpop.net>, <nanog@merit.edu>
Date: Fri, 22 Aug 2003 14:13:27 -0400
In-Reply-To: <Pine.BSI.4.10.10308221100151.11138-100000@pdx-s02.navi.net>
Errors-To: owner-nanog-outgoing@merit.edu
| Jim Dawson
| Sent: Friday, August 22, 2003 2:02 PM
| Subject: Sobig.f surprise attack today
|
| F-Secure Corporation is warning about a new level of attack to be
| unleashed by the Sobig.F worm today. Supposed to take place at 1900
UTC.
|
| http://www.f-secure.com/news/items/news_2003082200.shtml
See the following message sent out by X-Force a few hours ago.
Todd
------------------------------------------------------------------------
--
Computers infected with the Sobig.F worm are programmed
to automatically download an executable of unknown function
from a hard-coded list of servers at 19:00 UTC (3:00pm EDT)
X-Force is recommending wholesale outbound filtering of
the following IP addresses:
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96
The request method uses UDP port 8998. X-Force also
recommends that this port be filtered outbound.
