Worm wreaks havoc worldwide

On the 18th of August 2003, using a hacked computer and a stolen credit card, someone calling themselves "Misiko" posted the binaries for SoBig.F to various porn newsgroups via Easynews, using the subject: "Nice, who has more of it? DSC-00465.jpeg". By the following day, hundreds of thousands of copies of the Sobig.F email worm were flooding users' inboxes worldwide. Arriving with subject lines such as 'Re: That movie', 'Re: Your application', 'Your details', 'Re: Wicked screensaver', 'Thank you!', 'Re: Thank you!', 'Re: Details', 'Re: Approved', SoBig's assumed goal was to turn infected systems into a spam server. Within 24 hours, UK-based MessageLabs had detected one million SoBig.F emails, at a rate of 1:17 emails - much higher than previous record holder Loveletter (1:28). But these enormous figures were small potatoes compared to NY-based Berrex Computer Solutions, also a managed service provider. In its first day, Berrex had already stopped three million of the SoBig.F emails and the numbers were still rising.

Though the numbers seemed alarming, it was soon clear that relatively few source IPs were involved in the mailings. In short, despite millions of SoBig.F emails swamping servers and threatening a Denial of Service (DoS) attack on mail clients, it appeared that the actual number of infected hosts might have been as low as tens of thousands. While at first glance this may appear heartening, consider the implications of a worm that only infected such a small number, but impacted millions. In short, SoBig.F is a rude reminder that we are all susceptible to the follies and negligence of our online companions. One man's unprotected system can become a global nightmare for us all.

As with previous variants, it was known that SoBig.F intended to update itself. In this case, from 1900-2200 (UTC) each Friday and Sunday beginning August 22nd and ending September 6th, SoBig.F would attempt to procure a text file via the Internet. This second stage download of the text file would provide the worm with directions for where to download future components, dubbed the third stage. Examining the code, investigators were able to decrypt a set of twenty IP addresses, presumed to be used for this second stage download. Moving to thwart the worm, nearly all of the IP addresses were shutdown minutes before SoBig.F was to begin its update quest on the 22nd.

Security experts disagree as to what happened next. Some claimed the operation a success, declaring the SoBig.F worm had been successfully stopped from downloading its second stage instructions and thus no third stage was possible. Others, including system administrators, reported activity from the worm that indicated the downloads had occurred, a few providing unique IP addresses that did not appear on the original "magic 20" list found in the worm's code. Adding to the mystery, at least some of the SoBig.F worm mailings halted abrubtly minutes after Friday's 1900UTC download was due to commence. Considering that the worm is programmed to stop spreading after the download instructions have been received, the sudden stop of some of them lent credence to the argument that SoBig.F had been able to update on at least some of the systems.

Find the real SoBig.F sender