A potentially massive Internet attack starts today

This press release comes from F-Secure. For more 
information on F-Secure's mailing list policy, 
see end of message.


PRESS RELEASE


August 22, 2003


A potentially massive Internet attack starts today
Sobig.F downloads and executes a mysterious program on Friday at 19:00 UTC


F-Secure Corporation is warning about a new level of attack to be unleashed
by the Sobig.F worm today.


Windows e-mail worm Sobig.F, which is currently the most widespread worm in
the world, has created massive e-mail outages globally since it was found on
Tuesday the 18th of August - four days ago. The worm spreads itself via
infected e-mail attachments in e-mails with a spoofed sender address. Total
amount of infected e-mails seen in the Internet since this attack started is
close to 100 million.


However, the Sobig.F worm has a surprise attack in its sleeve. All the
infected computers are entering a second phase today, on Friday the 22nd of
August, 2003. These computers are using atom clocks to synchronize the
activation to start exactly at the same time around the world: at 19:00:00
UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).


On this moment, the worm starts to connect to machines found from an
encrypted list hidden in the virus body. The list contains the address of 20
computers located in USA, Canada and South Korea. 


"These 20 machines seem to be typical home PCs, connected to the Internet
with always-on DSL connections", says Mikko Hypponen, Director of Anti-Virus
Research at F-Secure. "Most likely the party behind Sobig.F has broken into
these computers and they are now being misused to be part of this attack".


The worm connects to one of these 20 servers and authenticates itself with a
secret 8-byte code. The servers respond with a web address. Infected machines
download a program from this address - and run it. At this moment it is
completely unknown what this mystery program will do. 


F-Secure has been able to break into this system and crack the encryption,
but currently the web address sent by the servers doesn't go anywhere. "The
developers of the virus know that we could download the program beforehand,
analyse it and come up with countermeasures", says Hypponen. "So apparently
their plan is to change the web address to point to the correct address or
addresses just seconds before the deadline. By the time we get a copy of the
file, the infected computers have already downloaded and run it".


Right now, nobody knows what this program does. It could do damage, like
deleting files or unleash network attacks. Earlier versions of Sobig have
executed similar but simpler routines. With Sobig.E, the worm downloaded a
program which removed the virus itself (to hide its tracks), and then started
to steal users network and web passwords. After this the worm installed a
hidden email proxy, which has been used by various spammers to send their
bulk commercial emails through these machines without the owners of the
computers knowing anything about it. Sobig.F might do something similar - but
we won't know until 19:00 UTC today.


"As soon as we were able to crack the encryption used by the worm to hide the
list of the 20 machines, we've been trying to close them down", explains
Mikko Hypponen. F-Secure has been working with officials, authorities and
various CERT organizations to disconnect these machines from the Internet.
"Unfortunately, the writers of this virus have been waiting for this move
too." These 20 machines are chosen from the networks of different operators,
making it quite likely that there won't be enough time to take them all down
by 19:00 UTC. Even if just one stays up, it will be enough for the worm.


The advanced techniques used by the worm make it quite obvious it's not
written by a typical teenage virus writer. The fact that previous Sobig
variants we're used by spammers on a large scale adds an element of financial
gain. Who's behind all this? "Looks like organized crime to me", comments
Mikko Hypponen.


F-Secure is monitoring the Sobig.F developments through the night on Friday
the 22nd. Updates will be posted to Sobig.F's virus description at
http://www.f-secure.com/v-descs/sobig_f.shtml



F-Secure Anti-Virus can detect and stop this worm. F-Secure Anti-Virus can be
downloaded from http://www.f-secure.com


About F-Secure


F-Secure Corporation is the leading provider of centrally managed security
solutions for the mobile enterprise. The company's award-winning products
include antivirus, file encryption and network security solutions for major
platforms from desktops to servers and from laptops to handhelds. Founded in
1988, F-Secure has been listed on the Helsinki Exchanges since November 1999.
The company is headquartered in Helsinki, Finland, with the North American
headquarters in San Jose, California, as well as offices in Germany, Sweden,
Japan and the United Kingdom and regional offices in the USA. F-Secure is
supported by a network of value added resellers and distributors in over 90
countries around the globe. Through licening and distribution agreements, the
company's security applications are available for the products of the leading
handheld equipment manufacturers, such as Nokia and HP.


Finland:
F-Secure Corporation
Mikko Hypponen, Director, Anti-Virus Research
PL 24
FIN-00181 Helsinki
Tel +358 9 2520 5513
Fax. +358 9 2520 5001
Email Mikko.Hypponen@F-Secure.com



For more information, please contact:


Media contact in the USA:
F-Secure Inc.
Heather Deem,
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel +1 408 350 2178
Fax +1 408 938 6701
Email Heather.Deem@F-Secure.com



http://www.F-Secure.com/



Mailing list policy


You have previously expressed interest in our products, or have asked to be
included on one of our press release lists by personally giving us your
e-mail address for this purpose. Our mailing list are for the exclusive use
and the expressed purpose of F-Secure and are not sold or given to third
parties.


If you no longer wish to receive our press releases, or your email address 
has been added to our lists without your consent, you can unsubscribe at 
http://www.F-Secure.com/news/subscribe.html


If you only wish to receive our press releases concerning viruses, 
please go to 
http://www.F-Secure.com/news/subscribe.html
and first unsubscribe from 
press-english-interest@lists.F-Secure.com
and then subscribe to 
press-english-virus-announcement@lists.F-Secure.com


*****************************************
Jaana Sirkiä, Communications Manager
F-Secure Corporation
PL 24
FIN 00181-Helsinki
Tel. +358 9 2520 5290
Fax +358 9 2520 5018
Mobile +358 400 303096
http://www.F-Secure.com 
*******************************************