Sobig.F worm could have originated on Usenet

The Sobig.F worm, which is estimated to have infected more than 100,000 computers and generated tens of millions of e-mails, could have begun life disguised as a pornographic picture in a posting to a handful of Usenet newsgroups.

Easynews Inc., a Phoenix, Ariz.-based provider of Usenet access, said it was served by the U.S. Federal Bureau of Investigation (FBI) with a subpoena relating to an account on its service that had been used to post the worm to Usenet. Easynews said it released customer records relating to the account to the FBI after receiving a copy of the subpoena on Friday morning.

Details of one posting made using the account were released by Easynews. It shows a posting on Monday, August 18 at 19:46 GMT (3:46 p.m. EDT) to six newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica and alt.binaries.pictures.erotica.amateur.female.

The posting had the title “Nice, who has more of it? DSC-00465.jpeg” and contained a photo which, when clicked on, infected the browser’s computer with the worm, said Easynews.

The company said the account in question appears to have been created with a stolen credit card for the sole purpose of uploading the virus to Usenet and was created a matter of minutes before the posting was made.

A search of Google’s Usenet archive appears to back this up. It reveals a test posting carrying the same sender e-mail address listed in the worm posting – misiko@dot.com – was made to the alt.alt.test newsgroup nine minutes before the posting detailed by Easynews. That posting contained a short string of “1”s.

Realtime Communications, an Austin, Tex., Internet service provider which operates the dot.com domain, said the e-mail account listed in the posting is a fictitious one.

“The domain dot.com has only three e-mail addresses, and the address misiko@dot.com has never existed,” a spokesperson said by e-mail on Sunday. “It is trivial to put a fake e-mail address on a Usenet posting. In fact most people do this as a matter of habit, to prevent their e-mail address being captured by a spammer.”

Two news reports Sunday, on the Web sites of the National Post and Ottawa Citizen, said investigators had discovered the Usenet posting was made from a personal computer in British Columbia that had been infected by the virus.

Usenet is a vast distributed network made up of thousands of discussion groups, called newsgroups. It predates the World Wide Web as an Internet application and subjects up for discussion on Usenet are as varied as the millions of people that use it. Some bring together computer engineers working on modifications to the Linux operating system while others are concerned with, for example, Eastern European culture, apartments for rent, astronomy, classic cars, political discussion and pornography.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now