And It Was So Big
[This is in response to Eric 'I Don't Use Real Names' [Last name withheld 'cause I guess he's scared someone would do a google search and find out where he lives]'s post on the sobig virus. The following is an actual account of one computers exposure to a member of the sobig family. (Oh and by the way, a google search with his last name doesn't return any meaningful results so I'm not sure why he doesn't use real names. Of course, you probably could guess his last name from the URL of his blog.)]
I started getting e-mail with the subject 'Re: Account' or 'Re: Movie'. They had attachments. I knew what they were. I knew they were viruses. What bothered me was who they were from. And who they were to. They were from me, and they were to me.
One came from an address that I used only once – to subscribe to a business magazine site. Nothing should ever some to that address. Maybe that site's servers had been hacked?
Some were messages from Yahoo telling me that I wasn't subscribed to the list I was trying to send to. Except I was subscribed to the list. I just hadn't send any e-mail. I checked the e-mail Yahoo sent back. It was send to a list I an subscribed to, only the address it was from was an address – once again – no one should know about. It was an address I use to catch 'bounces' from a customers list server. What was going on?
I looked at the headers of the virus e-mail I was receiving. The headers said it was coming form a computer named 'Snowflake'. Yeah, I knew where that computer was. It was right down the hallway. It was on my network. And the virus had been on it for 3 hours.
The first step? Isolation. Yanked that network plug right out of the wall. The second step? Find out what happened. Looked at the screen – seems that a family member had been checking their e-mail. And had opened an infected message that was sent to them. Bad thing to do. Next step? Download the newest virus definitions, and squish that little bug.
But I was still curious. Where did it get all my addresses from? Hmm? Did a little research on the virus. Seems it's a pretty nasty little thing – it doesn't get a list of e-mails from your address book. Nope, it scans your hard drive and looks for addresses in text files, e-mail folders, address book files. Like I said, nasty. Then, when it wants to send an e-mail, it doesn't use your ISP's SMTP server – nope, it has its own. And while it's doing that it also opens up a port (or ports, not sure) that its creator (or anyone with sobig compatible trojan payload connection software (tm)) can connect to your computer. Like I said, nasty. Snowflake got it about a month ago, not sure what the variant going around now does, but I'm sure it's not that fun to get.