turk-internet.com’un da bağlı olduğu network olan, internet.com Network’ünün yayıncısı Jupitermedia Corp. bu kurtçuğun yayıncısı olmadığını, tam tersine diğer şirketler gibi kurban olduğunu açıkladı. Jupitermedia konuyla ilgili olarak yasal makamlara da başvurduğunu açıkladı.
Symantec’in Sobig-F sayfalarında da bu kurtçuğun Jupitermedia’dan kaynaklanmadığı The email spoofing was highlighted by Symantec on a page of its Web site detailing Sobig-F. However, anti-virus company has since updated its Sobig.F advisory to confirm that Jupitermedia is NOT the sender.
“The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company,” Symantec said in its revised advisory.
F-Secure also updated its alerts to confirm that the sender information on the e-mails “is wrong and doesn’t indicate the real infected user.”
Because anti-virus definitions and e-mail filters have been updated to block activity from the [email protected] address, Jupitermedia’s IT administrators have been working overtime to deal with million of bounces on Monday and Tuesday when Sobig.F started wreaking havoc.
Jupitermedia CTO Mark Berns told internetnews.com the company had already handled more that 3 million bounced e-mails in the past two days. On a normal day, bounced emails total about 120,000 but Berns said returned mail to the spoofed [email protected] address has been a nightmare to deal with.
“So far today, we’ve received about one and a half million bounced mails. The anti-virus definitions have been updated to block mails from that address, which is theoretically what they’re supposed to do. So, we are being bombarded with the bounces. It is saturating our network and hogging bandwidth,” Berns explained.
“It has been all hands on deck here. My team has been working around the clock just to keep our e-mail flowing. This week has been a challenge like none we’ve seen. It’s the worst we’ve dealt with all the worms,” he said, referring to the Blaster and Welchia viruses that slowed enterprise networks to a crawl for most of the past week.
And, with fears that several new Sobig variants will appear in the future, Berns is resigned to dealing with more headaches in the coming weeks. “Who knows what Sobig.G or Sobig.H will do?”
Sobig-F, which builds on the impact of its previous Sobig worms, turn infected machines into hidden proxy servers. The latest variant is programmed to stop spreading on September 10 but a new variant is expected to hit soon after.
According to F-Secure, Sobig.F comes with a large attachment (around 70KB) and has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol. The worm also has updating capabilities and will attempt to download updated versions when certain conditions are met.