Spoofing the FBI

[Lking]

http://www.spamcop.net/sc?id=z829650125z4e...b5b5ab14d56cfcz

This is a new one for me. Spoofing the FBI.

[Jeff G.]

Trend Micro appears to have been first on the block to identify this worm - please see WORM_SOBER.AG for details.

[Miss Betsy]

Glad to see it has a name! I haven't opened my email yet, but I got 24 (some from the CIA and others wanting me to confirm my password) from 3 to 8 last evening.

I actually got one from earthlink several days ago (11/15), but reporting it stopped it quickly. I thought it was a phish, not a worm.

Miss Betsy

[Jeff G.]

The "list.zip" attachment was my clue to its worminess.

[Farelf]

Well spotted Jeff. W32.Sober.X[at]mm in Symantec talk - they just released their "Live Update" virus definition to catch the thing. Two hours after they unleashed their highly visible "Outbreak Alert!", unfortunately. Following the links to obtain the update in the interim period simply resulted in failure. With a weekly update schedule on Live Update (dial-up connection), doing a manual update between times just interferes with the next scheduled update (have to revert to previous update before it will work). If it's less complicated than that, I have yet to find out about it. All's well that ends well, I suppose and that particular drama is over (pity it wasted so much time though).

[turetzsr]

<snip>

I thought it was a phish, not a worm.

36427[/snapback]

...A worm (noun) which includes a phish (verb), perhaps?

[Farelf]

...A worm (noun) which includes a phish (verb), perhaps?

36448[/snapback]

Infinitely preferable to the noun-noun construction

[Jeff G.]

More URLs to ponder re this worm:

http://securityresponse.symantec.com/avcen...er.x[at]mm.html

http://www.sophos.com/virusinfo/analyses/w32soberz.html

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=49473

http://www.f-secure.com/v-descs/sober_y.shtml

http://vil.nai.com/vil/content/v_137072.htm

[StevenUnderwood]

With a weekly update schedule on Live Update (dial-up connection), doing a manual update between times just interferes with the next scheduled update (have to revert to previous update before it will work).  If it's less complicated than that, I have yet to find out about it.  All's well that ends well, I suppose and that particular drama is over (pity it wasted so much time though).

36445[/snapback]

Well, I mainly use the Corporate edition but in my few experiences with the home version, I have never seen this phenomena. Live Update has always worked even with manual updates being done. Often, you can also force a live update manually.

[Jeff G.]

Also, if you are impatient and don't want to wait for one of those weekly Wednesday updates or for Symantec to decide that a particular update is "important" enough, you can also download the latest regular dated update definition from http://www.sarc.com/avcenter/download/pages/US-N95.html or ftp://ftp.symantec.com/public/english_us_...rton_antivirus/ or one of the rapid release definitions at ftp://ftp.symantec.com/public/english_us_...s/rapidrelease/.

[Miss Betsy]

Mine all had McAfee_EmailScanReport.txt, though one had dessicated.zip IIRC. However, McAfee didn't tag them in any way. I have had so many updates from them, I don't know what they are doing nowadays.

I just hope this doesn't result in spam email following.

Miss Betsy

[Lking]

Well Norton finely got around to telling me about the worm I received this morning. Reading their right up mm.html]http://securityresponse.symantec.com/avcen...sober.x[at]mm.html

I notices that one of the things the worm does is capture norton's auto update so the worm runs every time you try to update the anti-virus data. Puts real meaning into keeping security up to date, cause if your late, your late.

[btech]

Equally as puzzling was this spam I got from Hotmail/MSN today:

http://www.spamcop.net/sc?id=z829917019z9d...bf0100ea9a7279z

I rarely use the address this was sent to and certainly didn't contact Hotmail Sales. makes me wonder if a spammer was email bombing MSN with all kinds of addresses, mine included...

[Wazoo]

Well Norton finely got around to telling me about the worm I received this morning. Reading their right up mm.html]http://securityresponse.symantec.com/avcen...sober.x[at]mm.html 

36486[/snapback]

For those coming in late, the URL provided above won't fly due to the filter I put on this Forum to mung e-mail addresses ... it also munged the above URL .. such that the [ at ] needs to be replaced with the [at] sign ... you'll note Jeff G.'s use of a tinyurl redirector to get around this issue in one of his previous posts ....

[Farelf]

Well, I mainly use the Corporate edition but in my few experiences with the home version, I have never seen this phenomena.  Live Update has always worked even with manual updates being done.  Often, you can also force a live update manually.

36460[/snapback]

Thanks Steven, and thanks Jeff! Yes, I usually force the update but on one foray into a manual update (different process from Live Update as you know), I found the Live Update wouldn't work next time. Hunting through the Symantec "knowledge base" suggested reverting to previous definitions and lo it worked. Disappointingly that was the suggested action this time when the actual "problem" was simply a delay in the release of the "special" update and reversion would have done nothing except waste more time. The previous thing was some date-critical aspect of weekly updates, no doubt (Symantec protecting their "investment", instanced also in their pre-emptive quarterly "registration" procedure on an annual subscription).

Still, I've been there before, won't hesitate to do a manual update should it seem prudent (I don't rely on them anyway - as "we" know, don't download unknown attachments, don't open them, someone has to get the first example, it might be me. I know enough about probablility to know the odds don't "accumulate" but one has the uncanny feeling that an unlikely event is overdue - like Charles Dickens avoiding the Christmas trains because "there hadn't been enough derailments that year yet". Must be my turn to get something higher than a 5th division Lotto win .)

Within minutes of the (outbreak alert special) live update working I received my first email with this worm. But that wasn't at all unlikely.

[Jeff G.]

Well Norton finely got around to telling me about the worm I received this morning. Reading their right up

36486[/snapback]

ITYM "write up".

one of the things the worm does is capture norton's auto update so the worm runs every time you try to update the anti-virus data. Puts real meaning into keeping security up to date, cause if your late, your late.

36486[/snapback]

ITYM "if you're late, you're late."

To be more specific about how NAV/SAV automatic live updates operate, the default configuration is to check every Wednesday morning and Symantec's policy is to publish every Wednesday morning, and more often when they feel it important to do so. I have different ideas about importance than they do (I consider updates for new highly-publicized highly-virulent outbreaks that I have evidence of in-hand (especially email-borne worms) to be important; they sometimes don't). I also change the default on systems I am configuring to check every morning or night (depending on the situation).

[Lking]

Jeff G the secret is out. Yes, I took english as a second language. My first language was fortran.

I agree with your AV update schedule. I also check daily plus "as required" based on what I see going on and how I feel. My update schedule is much different than Symantec's Outbreak Alert which is what I was referring to with a <g> several hours after I received my copy sober.x

[Lking]

In response to my spam report I just received a response from SBC. In addition to the standard part:

<snip>Warning! Recent SBC phishing attacks and forgeries:

1.  Forged emails claiming to be from the FBI claiming that the FBI is 

monitoring your traffic.  The FBI did not send these e-mails and does 

not send any other unsolicited e-mails to the public, an agency 

statement said. As many harmful computer viruses are located in e-mail 

attachments, the FBI said it strongly encourages computer users not to 

open attachments from unknown recipients.  The FBI is investigating the 

scam. Recipients of these e-mails are asked to report them by visiting 

the Internet Crime Complaint Center at 

http://www.ic3.gov/

<snip>

[Wazoo]

FBI ALERTS PUBLIC TO RECENT E-MAIL SCHEME

For Immediate Release

Tuesday, November 22, 2005

Washington D.C.

FBI National Press Office

E-mails purporting to come from FBI are phony

[Miss Betsy]

Now I am receiving them from Roadrunner as well as verizon AND my own ISP (who says the headers are spoofed and besides which the IT department won't be back until next Monday. In the spamassassin report it has an IP address for RCVD in SORBS which he says is Roadrunner. He also says that they don't use userid xxx.) spamcop says it is my isp.

I could spit nails!

Miss Betsy

[Lking]

Computer Worm Poses as E-Mail From FBI, CIA

'Sober X' Web Threat Spreads Quickly

By Arshad Mohammed and Brian Krebs

Washington Post Staff Writers

Thursday, November 24, 2005; Page D01

It's being called the worst computer worm of the year -- a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders.

The full Post story is at:

http://www.washingtonpost.com/wp-dyn/conte...?referrer=email

Gee Miss Betsy I feel left out. I only got 2 copies. (That's not an offer to accept more!)

[dra007]

I got the Sober X removal tool from Symantec and run it before I even knew about the break. Sounds pretty nasty...

[Farelf]

I got the Sober X removal tool from Symantec ...

36568[/snapback]

Neat - I wouldn't have thought about using those things as a check. Jeff's handy link to the Symantec page is noted above in this doscussion: http://forum.spamcop.net/forums/index.php?...indpost&p=36456, here's another (should work) for those not liking tinyurl: http://securityresponse.symantec.com/avcen...o.cgi?vid=17534 - no I don't work for them.

[dra007]

My e-mail gets filtered by Postini then forwarded to Spamcop...I had a few Sober e-mails, oddly enough from Argentina, defanged and trapped in the Postini virus folder this morning... They mentioned Paris Hilton, nothing about FBI....

The Simple Life:

View Paris Hilton & Nicole Richie video clips , pictures & more

Download is free until Jan, 2006!

Please use our Download manager.

[Farelf]

Yeah, that and the failed delivey one are the types I'm seeing (getting through AT&T).

This_is_an_automatically_generated_Delivery_Status_Notification.

SMTP_Error_[]

I'm_afraid_I_wasn't_able_to_deliver_your_message.

This_is_a_permanent_error;_I've_given_up._Sorry_it_didn't_work_out.

The_full_mail-text_and_header_is_attached!

There was an actual FBI one, caught up in my "graymail", as AT&T insist on calling it.