LISTSERV 16.0 - MSUNAG Archives

Has MSU blocked the addresses? I've pasted them in below the message from Russ Cooper.

>From: Russ <[log in to unmask]>
>Subject: [NTBUGTRAQ] SoBig.F Phase 2 - about to start, or not
>To: [log in to unmask]
>
>You know me, I like to go out on a limb.
>
>SoBig.F has an additional component (to the virus mass-mailing), it checks
>in with 20 IP addresses (home machines, we believe) that are listening on
>UDP 8998. Those machines return an encrypted web address, which the
>SoBig.F infected machines are supposed to then go to and pick up some
>executable. What that executable will do is unknown, but if anything, it
>most likely spams (the SoBig author has been known to spam from infected
>machines.)
>
>People have been hard at work ensuring the 20 machines are blocked, but
>they may not be. This thing triggers at 1900 UTC, all machines will go at
>that point.
>
>The most likely scenario is that the 20 sites are either blocked, or DoS'd
>as a result of the request load. Infected systems are to try these IPs for
>3 hours, then again on Sunday/Monday. Should they get the web address(es)
>they will then likely DoS the web servers too.
>
>I believe its unlikely that anything much will come of this, but of course
>I could be wrong. Look for surges in traffic volume, or traffic on
>UDP8998. Do that for about 5 minutes, then go home for the weekend.
>
>By Sunday when this thing triggers again, all 20 IPs will almost
>definitely be closed.
>
>Cheers,
>Russ - NTBugtraq Editor



This list is from Gary Warner on the NTBugtraq list
   67.73.21.6 - dialup-67.73.21.6.Dial1.LosAngeles1.Level3.net
   68.38.159.161 - pcp04447100pcs.verona01.nj.comcast.net
   67.9.241.67 - cs679241-67.jam.rr.com
   66.131.207.81 - modemcable081.207-131-66.nowhere.mc.videotron.ca
   65.177.240.194 - sdn-ap-030caburbP0194.dialsprint.net
   65.93.81.59 - Kingston-HSE-ppp3559860.sympatico.ca
   65.95.193.138 - Toronto-HSE-ppp3672941.sympatico.ca
   65.92.186.145 - HSE-Montreal-ppp3465567.sympatico.ca
   63.250.82.87 - ???
   65.92.80.218 - HSE-Toronto-ppp3480573.sympatico.ca
   61.38.187.59 - ???
   24.210.182.156 - dhcp024-210-182-156.woh.rr.com
   24.202.91.43 - modemcable043.91-202-24.mtl.mc.videotron.ca
   24.206.75.137 - user-0ccis9.cable.mindspring.com
   24.197.143.132 - ip-24-197-143-132.spart.sc.charter.com
   12.158.102.205 - ???
   24.33.66.38 - cpe-024-033-066-038.cinci.rr.com
   218.147.164.29 - ???
   12.232.104.221 - 12-232-104-221.client.attbi.com
   68.50.208.96 - pcp694043pcs.anaprd01.md.comcast.net