Sobig-F’s attempts to download a mystery program to infected machines failed over the weekend. But experts are not patting themselves on the back as they worry that the next variant of the worm, Sobig-G, may come sooner than expected. “It may come early as the worm writer’s plan failed,” said Mikko Hypponen, manager of antivirus research for F-Secure Corp., in Helsinki, Finland. Sobig-F is programmed to download a program every Friday and Sunday until Sept. 10 between 7 p.m. and 10 p.m. UTC time (3 p.m. and 6 p.m. EDT). The worm would get a URL pointing to the program from one of 20 remote servers. Antivirus experts weren’t able to ascertain what the downloaded program would do. That may be moot at this point because the 20 servers weren’t accessible over the weekend. Eighteen were taken down by ISPs, Hypponen said. The others were inaccessible as well. “It stands to reason that we can’t access them then the worm wouldn’t be able to either,” he said. ISPs were also filtering UDP port 8998 traffic over the weekend. The worm used that port to access the remote servers. Blocking it wasn’t a huge issue because there are not a lot of legitimate uses for that port, Hypponen said. Full Story
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.