Wed, 20 Aug 2003

Sobig.F Worm Attack

Yesterday, I had an extremely frustrating experience with the W32.Sobig.F worm. Even though, as a Linux user, I was not susceptible to an infection, this ugly worm inflicted quite a bit of pain.

Between 7:27 AM an 12:05 PM, I received 125 e-mail messages addressed to my forwarding address, each containing the worm.

All the messages came from the same, infected machine at a university in Sweden. If the messages had been sent directly to my personal e-mail address, hosted on a system I manage, it would have been trivial to stop the attack I could have simply blocked all traffic from the offending IP address at the firewall, or added it to the RBL I use to block known spammers and mail abusers.

But this attack was hitting my address. is a forwarding service, so all the worm laden messages were coming from's mail server. Blocking that address would have blocked all legitimate messages sent to my address as well as those containing the worm.

Worse, has a daily message limit. I'm a paid subscriber, which entitles me to 150 messages per day. Even with the amount of spam I receive, that limit has always been more than adequate to handle my needs. Had the Sobig.F attack continued much longer, however, I might have had my mail account temporarily suspended due to the volume. I was expecting a very important e-mail message and having it delayed or lost would have been painful. has an emergency help desk address. I fired off a message with attached headers from one of the worm laden e-mails and asked them to please block the offending address.

I tracked the offending, originating IP address to a Swedish university and sent a message with appropriate details to their abuse address.

I did receive a reply from the university. Bigfoot never responded. At 12:05 PM, 4 hours and 38 minutes after the attack began, 1 hour and 39 minutes after I contacted the university, the worm storm stopped.

In addition to the messages with worm payloads, I received several undeliverable messages. Sobig.F forges from addresses from the same pool of addresses it targets. I also received some automated replies from auto-responder addresses that had been targeted by the worm and where my address had been forged as the source address.

I narrowly escaped exceeding my daily message limit at and, thankfully, I got the important e-mail message I was expecting.

Without any feedback from, and with only the acknowledgement that my message had been received and was being investigated at the university in Sweden, I don't know where to give credit for stopping the attack. It is, of course, possible that neither was directly responsible. The user of the infected machine may have found and fixed the problem.

In any case, the Sobig.F attack demonstrated that worms can have devastating effects even to systems that are properly protected and not vulnerable to direct infections.

[/internet] [link]

About this weblog

This site is the personal weblog of Marc Mims. You can contact Marc by sending e-mail to:

Marc writes here about cycling, programming, Linux, and other items of personal interest.

This site is syndicated with RSS.



CSS stolen from Tom Coates who didn't even complain.