Project Description
Attack Analyses
Publications
Student Theses
Cluster "Scylla"
Contact
Authors:
Thomas Dübendorfer,
duebendorfer@tik.ee.ethz.ch,
Arno Wagner,
wagner@tik.ee.ethz.ch
initial version August 20th, 2003
For a more detailed analysis, we refer to our DIMVA 2005 paper on Blaster and Sobig.F.
Introduction
On 19th of August 2003, the W32/Sobig.F e-mail worm first appeared. It is a malicious program that runs on MS Windows systems and must be explicitly executed by the user to install and activate itself.
The worm provides its own mail transfer agent application and replicates itself by sending enlarged or reduced copies of itself as an e-mail attachment of roughly 70 kBytes. An arbitrary recipient and sender are taken from the local e-mail address book to make the attachment look like it originated from a known person.
Additional "features" of the worm are that it is programmed to update itself at predefined dates by downloading new code from predefined computers. However, by timely intervention of network operators and system administrators this update mechanism could by blocked by shutting down all 20 master servers. On the 10th of September 2003 the original worm is believed to inactivate itself and herewith stop its spreading. The date and time is taken from predefined global time servers (NTP) instead of from the local computer.
Characteristic for monitoring the spreading of Sobig is a heavily increased activity on the e-mail service (SMTP 25/TCP).
Below are some observations of the network traffic the Sobig.F worm generated in the SWITCH network, a moderately sized backbone network carrying roughly 5% of all Internet traffic from and to hosts in Switzerland.
Observation Setup
The graphs are based on Cisco Netflow data exported by the SWITCH border routers. Due to the amount of data captured, it is split into one-hour intervals, which currently start and end 20 minutes past the full hour. For all graphs the time given is the start time of such an interval.
Processing an one-hour interval of data to generate these graphs took about 15 minutes on an Athlon XP 2200+.
Interpretation
The first graph shows the total number of bytes per hour transferred as e-mail (SMTP) traffic over the border routers of the SWITCH network. It can be clearly recognized that there is a daily rhythm. The five weekdays have rather heavy traffic with a maximum around 5 GiBytes per hour, whereas on Saturdays and Sundays the traffic is considerably less. The lunch break can be seen nicely during weekdays.
On Tuesday, 19th of August starting at 14:20 local Swiss time there is a huge increase in bytes transferred that rises up to around 22 GiBytes/hour, which is more than four times more than ordinary. This can be regarded as the outbreak of the Sobig.F worm.
The second graph shows the number of connections per hour split by origin of the e-mail sender.
Interestingly, on Saturday 8th of August 2003 there is a short peak of twice as many
connections than normal that comes from outside the SWITCH network.
The actual Sobig.F worm starts on 19th of August around noon. The number of outgoing
e-mail connections per hour raises from around 90.000 between 11:20 and 12:20 up to 320.000
between 14:20 and 15:20.
The third graph shows the number of unique hosts per hour sending e-mails. Astoundingly this number raises unexpectedly from around 2.600 to 12.500 at 11th of August at 20:20. After some peaks, a much higher level than earlier is kept. This could indicate an early pre-infection phase of possibly a Sobig.F variant that was not noticeable in the transferred e-mail data amount. The reasons will be investigated further.
Local time in Switzerland is CEST, subtract 2 hours to get UTC.
Limitations in this Observation
- No attempt was made to distinguish normal e-mail and Sobig.F-created connections to SMTP-port 25/TCP.
- There is some transit-traffic in the SWITCH network (not much). Flows in transit are currently counted twice.