Reviews:
 ·Verizon Online DSL
| Heads-up: Sober Spam wave started last night Just a heads up to prevent unnecessary concern, last June, the Sober worm, once it had stopped spreading and the machines were "own3d", began spewing all sorts of mass mailings of German language right wing propaganda which flooded mailboxes.
It's BAAAaaaack! 
Started for us yesterday afternoon, with hundreds of emails per hour in German with such prize subject lines as:
Multi-Kulturell = Multi-Kriminell
Volk wird nur zum zahlen gebraucht!
Auslaender bevorzugt
Paranoider Deutschenmoerder kommt in Psychiatrie
Du wirst ausspioniert ....!
Blutige Selbstjustiz
... and many more. Chances are you'll see lots of these if you're in the address books of the remaining infected spam zombies that still have Sober.o/p/whatever on the machine.
The emails will contain links, there is NO VIRUS in the emails. So when you receive these, don't get nervous, just delete them and train your spam filters on the subject lines until you've collected them all. 
Annoying and will flood mailboxes, but NO infection inside. Just delete them and hopefully it will end. Might want to check your mailbox more often though should you start getting these - it'll fill up FAST if you're "on the list."
These machines will likely follow the history of the last wave of this last year and will soon be spewing ads for all those pills that your girlfreind somehow needs. (grin)
--
Kevin McAleavey support@nsclean.com (Makers of BOClean anti-malware protection)»www.nsclean.com |
|
 OwlbetIgnite the IcePremium,MVM
join:2002-09-24
Palmer, AK | Thank you for the heads up. |
|
Reviews:
·T-Com
1 edit | It´s flooding mailboxes here too. |
|
Reviews:
·Verizon Online DSL
| It's madness on a halfshell ... and it's going to go on for a while just like the last outbreak last year. And the Austrians KNOW who this is, doing it.
No virus in the emails though, just a matter of deleting the witches and training your spam filter on the subject lines. Once you've captured them all, off to the shining bitbucket they go and nobody gets hurt.
Just as long as folks are prepared to know that it isn't them, because the NEXT bad news is the BOUNCES from hotmail and others claiming that *YOU* sent them. All addresses, to and fro are SPOOFED ... that's why I figured better spread the word since apparently it's not quite in full swing yet. Later today should be madness and a half.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean anti-malware protection)»www.nsclean.com |
|
 rpu812Huh? What?Premium
join:2001-10-07
Catonsville, MD | reply to K McAleavey
Thanks for the heads-up Kevin. |
|
 justinAustralian
join:1999-05-28
New York, NY
kudos:7
IPv6
Business Connectiv..
Console/Handheld g..
Console Tech
Home/Office setup ..
1 edit | reply to K McAleavey
it started for various BBR office accounts right on the button at 8pm EST. Spam Assassin isn't catching all of them because (a) it isn't spammy and (b) it is from random home IPs, not many of which have been previously ID'd as spam generators by the various blackhole services.
Was this dialed in behavior already known about well before today by dis-assemblers? any other surprises due? |
|
 Ben CiscoEmbrace IntellectPremium
join:2001-12-13
Wormhole | reply to K McAleavey
SpamCop reports that the ISP has "indicated that the spam will stop" - problem was resolved sometime after midnight... |
|
Reviews:
·Verizon Online DSL
| Nah, they're still coming though not in as significant a quantity as last night. Postini and the others are doing a yeoman's job of router updates.
No signs in the code of Sober.lmnop/whatever as to it being anything more than the usual proxy, smtp engine and bot. Same old, same old ... but that DOES explain why the "lull" in the infection stage. Spammer quota met since Sober is nothing more than a spam relay in the first place. Figures the "tests" would begin. But it's still alive but not quite as vigorous as it was earlier.
Examination of earlier source code when the author was a little bit more open was that the whole SOBER thing was the result of his upset over the jailing of an Austrian "hacker" friends of his ... well known case. This guy was one of that "crew" ... he said so in his code in earlier versions.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean anti-malware protection)»www.nsclean.com |
|
 dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18 | reply to K McAleavey
Thanks for the Heads Up, Kevin!  |
|
|
|
| »www.viruslist.com/en/weblog |
|
 bcoolPremium
join:2000-08-25
The Ozarks | reply to K McAleavey
Wow! I was about to blame my German friend for flooding my gmail account with the articles - one e-mail in particular caught my eye because it was in English:
"Dresden Bombing Is To Be Regretted Enormously" of course about the February 13, 1945 bombing of Dresden, Germany by the British Royal Air force. Anyway the link took me to what appeared to be a legitimate article on the SPIEGEL (German language newspaper) website. So I shouldn't be in trouble for just viewing the article, right? There's no indication of any trouble. The balance of the e-mails have been banished to oblivion.
--
"in flagrante delicto" |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to K McAleavey
Re: Heads-up: Sober Spam I'm dealing with the results right now - Two days ago, I saw dozens of these in inboxes of ours and traced them back to the DIALUP IP block of a small ISP that one of our relatives uses. I called them and stepped them through updating their McAfee, (supposedly AV/AT firewall), running a scan. He scanned, found 22 viruses per his report. Clean, reboot, clean, reboot until scan ran OK.
Well, last night same thing. Only 142 of the emails were in our two inboxes. I called He said "The PC hasn't been on". Then, I see another 5 or 6 come in. I said "I just got another round - are you sure?" He checked. "It is on. My wife just logged in to check her email. And, grandson was on the web earlier getting info for homework" They are all intelligent but nontechnical "safe hex" users and of the ilk that "if it's not something I know, I don't go there or open it". However that doesn't rule out a McAfee misconfiguration or errant keystroke/mouse click.
Wish I could do more, but I'm a thousand miles away and can't step him through McAfee since I don't know what product he has and I'm not familiar with the screens. I did tell him to update, scan again and contact the ISP and let them know he's trying to fix it.
I hope I can get him to this forum, but with dialup he's gonna be hard pressed to D/L and run all the apps in the FAQ. |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | No hits here yet.
Spammers should be jailed.
Spammers who use trojan proxies/viruses should be put to a slow, painful death.
Virus writers who accept money from spammers should be shot into deep space... WITHOUT a space suit.
'Nuff said.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| POSTFIX filter for sober spamFrom SANS ISC link at »isc.sans.org/diary.php;
quote:
One of our readers, Eric provided a postfix regex file that can be used to filter these german spams. Thanks for this Eric.
Typically this is enabled through the main.cf file of postfix:
header_checks = regexp:/usr/local/etc/postfix/headfilt.regex
----- headfilt.regex file contents -------
/^Subject:.*Augen auf/ HOLD
/^Subject:.*Auslaenderpolitik/ HOLD
/^Subject:.*Blutige Selbstjustiz/ HOLD
/^Subject:.*Deutsche Buerger/ HOLD
/^Subject:.*Deutsche werden kuenftig beim/ HOLD
/^Subject:.*Dresden Bombing Is To Be Regretted Enormously/ HOLD
/^Subject:.*Du wirst zum Sklaven gemacht/ HOLD
/^Subject:.*Gegen das Vergessen/ HOLD
/^Subject:.*Graeberschaendung auf bundesdeutsche/ HOLD
/^Subject:.*Jahre Befreiung/ HOLD
/^Subject:.*Multi\-Kulturell/ HOLD
/^Subject:.*Paranoider Deutschenmoerder kommt/ HOLD
/^Subject:.*Polizei schlaegt Alarm/ HOLD
/^Subject:.*Transparenz ist das Mindeste/ HOLD
/^Subject:.*Tuerkei in die/ HOLD
/^Subject:.*Volk wird nur zum zahlen/ HOLD
/^Subject:.*Vorbildliche Aktion/ HOLD
/^Subject:.*Whore Lived Like a German/ HOLD
/^Subject:.*wirst ausspioniert/ HOLD
---- end of file contents ------
|
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | that would be better if it was complete, but looking at mine, I already see half a dozen other subjects as well as these |
|
approval from:
EGeezer 
| Here's a longer list:
/^Subject:.*Armenian Genocide Plagues Ankara/ HOLD
/^Subject:.*Augen auf/ HOLD
/^Subject:.*Auslaender bevorzugt/ HOLD
/^Subject:.*Auslaenderpolitik/ HOLD
/^Subject:.*Blutige Selbstjustiz/ HOLD
/^Subject:.*Deutsche Buerger/ HOLD
/^Subject:.*Deutsche werden kuenftig beim/ HOLD
/^Subject:.*Dresden 1945 / HOLD
/^Subject:.*Dresden Bombing Is To Be Regretted Enormously/ HOLD
/^Subject:.*Du wirst ausspioniert/ HOLD
/^Subject:.*Du wirst zum Sklaven gemacht/ HOLD
/^Subject:.*Gegen das Vergessen/ HOLD
/^Subject:.*Graeberschaendung auf bundesdeutsche/ HOLD
/^Subject:.*Hier sind wir Lehrer die einzigen Auslaender/ HOLD
/^Subject:.*Jahre Befreiung/ HOLD
/^Subject:.*Massenhafter Steuerbetrug durch auslaendische/ HOLD
/^Subject:.*Multi\-Kulturell/ HOLD
/^Subject:.*Osteuropaeer durch Fischer-Volmer Erlass/ HOLD
/^Subject:.*Paranoider Deutschenmoerder kommt/ HOLD
/^Subject:.*Polizei schlaegt Alarm/ HOLD
/^Subject:.*Schily ueber Deutschland/ HOLD
/^Subject:.*Transparenz ist das Mindeste/ HOLD
/^Subject:.*Trotz Stellenabbau/ HOLD
/^Subject:.*Tuerkei in die/ HOLD
/^Subject:.*Turkish Tabloid Enrages Germany with Nazi Comparisons/ HOLD
/^Subject:.*Verbrechen der deutschen Frau/ HOLD
/^Subject:.*Volk wird nur zum zahlen/ HOLD
/^Subject:.*Vorbildliche Aktion/ HOLD
/^Subject:.*Whore Lived Like a German/ HOLD |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| reply to K McAleavey
Sober development and rollout From my little perch, the number of infected sources is low, but the emails are numerous.
[SWAG]
This infection looks like more of a beta project to see how well it works. Variants may already be in test. Based on successes of this multi-stage rollout and the variants being tested, malware writers may initiate a more profitable version for theemselves. Today, harmless irritating web links - next, malware and exploit pages.
[/SWAG] |
|
 sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ
1 edit | reply to Eric2005
Re: POSTFIX filter for sober spam Is that pretty much the canonical list of ALL subject lines this thing is spewing?
Anyone have spamass rules cooked up for this yet?
edit: Found this: »mailscanner.prolocation.net/german.cf
I'm not sure I agree with the "8" score, but I may tone it down and give it a shot. Still reading the SA archives from yesterday... |
|
 pcdebbRIP dadkinsPremium
join:2000-12-03
Brandon, FL
kudos:4 | reply to K McAleavey
Re: Heads-up: Sober Spam wave started last night quiet on all my email accounts. but i have a stupid question, if it has no virus attached, then how/why is it a sober variant? is the link itself malicious?
--
babbling | mvm |
|
| reply to sporkme
Re: POSTFIX filter for sober spamIt's the canonical list of sober.q-looking subjects that have hit my external mail relays (10,000 users) since about 9 PM EST last night.
1 addition to that list (English subject threw me off):
/^Subject:.*Can you believe this still happens today/ HOLD |
|
