Security experts are warning of a possible attack or mass action by machines infected with the Sobig.F worm scheduled to begin Friday at 7 p.m. GMT. Security experts are warning of a possible attack or mass action by machines infected with the Sobig.F worm scheduled to begin Friday at 7 p.m. GMT.Code buried deep in the Sobig.F worm will cause afflicted Microsoft Windows machines worldwide to simultaneously connect to an as-yet unknown Web page and download a software program, according to security company F-Secure of Helsinki. The machines are using a number of atomic clocks worldwide to synchronize activities and coordinate the mass action, F-Secure said.Researchers at F-Secure have analyzed the Sobig.F worm code and discovered the instructions, which are similar to those found in previous editions of the Sobig.F virus, said Mikko Hyppönen, head of antivirus research at F-Secure. For Sobig.F, F-Secure researchers cracked an encrypted list of 20 IP addresses that the infected machines will attempt to connect to, trying each in order until a successful connection is made.Those IP addresses belong to Sobig-infected machines outfitted by the Sobig.F authors with instructions to receive requests from other Sobig.F machines and to respond with the location of a file that those machines should download and run, Hyppönen said. “These are probably easy-to-crack machines from around the world – Windows boxes where the user has no idea that the machine is infected and is being used in the attack,” he said.Currently, the 20 Sobig.F “server” machines contain instructions to download a nonexistent file on the www.sex.com domain, but the person or people behind Sobig.F will probably wait until the last second before uploading the real instructions to the 20 machines.“Obviously the logic of the virus writers is to change the URL (pointing to the file) just before the attack starts. They’re thinking about how we work and trying to make it harder,” he said.Without seeing the actual instructions that infected Sobig.F machines download by the thousands, it’s impossible to know what the Sobig.F machines will be directed to do, Hyppönen said.For example, if the virus author sent instructions for the Sobig.F machines to download a file on Microsoft’s Web page or that of another high-profile target, it could create a massive denial-of-service attack, he said.Previous editions of Sobig.F downloaded software programs that turn infected machines into a so-called “open proxies,” Hyppönen said. Open proxies act as e-mail distribution hubs allowing anonymous sending of massive waves of spam. Sobig.F’s author may be planning to do the same, creating a large network of open proxies that can be used for future spam campaigns. Security experts have long noted the connections between the Sobig.F worm and the work of spammers, who use open proxies to cover their tracks while barraging e-mail accounts with solicitations for pornography, “get rich quick” scams and cheap prescription drugs.In an attempt to control the flood of spam e-mail, ISPs have been cracking down on loosely managed open proxies, prompting spammers to look for ways to create new proxies, Hyppönen said. Security companies have noted a correlation between the appearance of worms like Sobig.F and an increase in spam traffic from open proxies.After deciphering the attack, F-Secure contacted CERT and the FBI regarding the threat, which contacted the ISPs that the Sobig.F servers are using and asked them to suspend the machines’ Internet connections, Hyppönen said.As of Friday morning, 12 of 20 Sobig.F servers had been taken offline and authorities were working to contact other affected ISPs. The job of shutting down the servers has been complicated, in part because the Sobig.F authors took precautions when selecting the machines to use as servers, making sure that each was controlled by a different ISP worldwide.The FBI has analyzed the Sobig.F code and is aware of the planned attack, said Bill Murray, a spokesman for the FBI’s cyber division. The agency is working with the Information Analysis and Infrastructure Protection Directorate of the Department of Homeland Security and other federal agencies to develop a strategy to help mitigate further spread of the Sobig.F code, he said.The FBI also launched an investigation into Sobig.F and is trying to determine who released the code into the wild, Murray said. Individuals with information about the Sobig.F worm that might help investigators should contact their local FBI field office, he said. Related content news analysis Western Digital keeps HDDs relevant with major capacity boost Western Digital and rival Seagate are finding new ways to pack data onto disk platters, keeping them relevant in the age of solid-state drives (SSD). By Andy Patrizio Dec 06, 2023 4 mins Enterprise Storage Data Center news analysis Global network outage report and internet health check Cisco subsidiary ThousandEyes, which tracks internet and cloud traffic, provides Network World with weekly updates on the performance of ISPs, cloud service providers, and UCaaS providers. By Ann Bednarz and Tim Greene Dec 06, 2023 286 mins Networking news analysis Cisco uncorks AI-based security assistant to streamline enterprise protection With Cisco AI Assistant for Security, enterprises can use natural language to discover policies and get rule recommendations, identify misconfigured policies, and simplify complex workflows. By Michael Cooney Dec 06, 2023 3 mins Firewalls Generative AI Network Security news Nvidia’s new chips for China to be compliant with US curbs: Jensen Huang Nvidia’s AI-focused H20 GPUs bypass US restrictions on China’s silicon access, including limits on-chip performance and density. By Anirban Ghoshal Dec 06, 2023 3 mins CPUs and Processors Technology Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe