The spread of W32/Sobig.F started a race against time for anti-virus and information security organisations. The analysis of the mass-mailing virus revealed that it contains an encrypted list of IP addresses within its' code, tese are "master servers". If the time is between 19:00 and 22:00 GMT on any Friday or Sunday Sobig.F sends a notification to the master servers, and waits for one of them to send a URL. It then downloads from the URL, and executes the content. The first activation of this routine would take place at 19:00 GMT on Friday, 22 August 2003 (3am Saturday, Hong Kong time). The master servers on the list were well spread out, under the administration of different ISP's. In all likelihood, they were the machines of innocent users that had been broken into taken over by the virus writer.
So thousands, possibly hundreds of thousands, of machines infected with Sobig.F were ready to download and execute an unknown program (or programs). If the virus author only made the download locations available at the last moment, security experts would have no chance to analyse it before it started work. The program could do anything, up to and including wiping the victim's hard disk. More likely scenarios would be launching Distributed Denial of Service attacks and acting as relays for spam.
Passively waiting for the attacks to happen was not an option, so organisations around the world, including CERTs, the FBI and anti-virus developers, co-operated in tracing and contacting the administrators of the "master servers" to get them shut down. Sophos and F-Secure participated in the effort. The race was close at the finish, the timeline for 22 August was:
13:00 GMT | 11 master servers disconnected |
---|---|
16:00 GMT | 18 master servers unavailable |
17:00 GMT | 17 master servers unavailable - apparently one that was previously unreachable was started by it's owner. |
18:20 GMT | 19 unavailable. It was feared that the remaining master server would still be enough for the attack to start. |
19:00 GMT | The final master server was still connected to the Internet, but did not respond to the virus requests. It remained dormant for the whole 3 hour attack period. |
So, the attack failed, this time. Sobig.F is programmed to stop working after the 10th of September 2003 and this appears to be part of a plan by the author. Four of the earlier versions of Sobig also had expiry dates, and shortly after one expired a new variant was released. We can anticipate a new Sobig variant appearing in mid-September.