[ISN] Russian Denies Authoring "SoBig" Worm

[InfoSec News]

http://www.oreillynet.com/pub/a/network/2004/11/02/sobig.html

By Brian McWilliams
11/02/2004

A Russian developer of bulk email software flatly denied reports that
he or his company is in any way connected to the virulent SoBig
computer worm.

Ruslan Ibragimov, owner of Russia-based Send-Safe, said an anonymously
published document falsely accuses him of authoring SoBig, which was
rampant on the internet in 2003.

"It's bullshit," said Ibragimov in an online interview on Monday.

The report, "Who Wrote SoBig?" (a copy of which is available here)
includes a 48-page technical analysis of both SoBig and the Send-Safe
bulk email program. The similarities between the software "should be
considered as significant as finding a fingerprint on a murder
weapon," concluded the document's pseudonymous creator, "Author
Travis."

Since SoBig was first identified in January 2003, experts have
suspected that the worm was created in order to turn infected PCs into
"Trojan"  proxies that could be used to send spam anonymously. Author
Travis is the first to publicly finger a specific spam operation as
the source of the worm.

Ibragimov, 30, said no one from the FBI or any other law enforcement
agency has ever contacted him about the SoBig worm. He rejected the
report's forensic analysis and said that it reached faulty technical
conclusions.

The report noted, for example, a strong similarity in the email
headers created by Send-Safe and SoBig. But Ibragimov said Send-Safe
chose the particular order of headers merely to mimic Outlook Express
and to better evade spam filters.

Ibragimov also said that the roughly similar release dates of new
Send-Safe versions and updates of SoBig were purely a coincidence and
not an indication that the programs were both written by the same
person.

"We have released new builds [of Send-Safe] every week and a new
version every month," Ibragimov said.

Ibragimov also commented that there's a painful irony in the
accusation that Send-Safe wrote the SoBig worm in order to assemble a
collection of "Trojaned" proxies.

"Trojans killed my business," he said, noting that many of his
customers have recently migrated to "cracked" (pirated) versions of
spamware programs such as Dark Mailer, for which they purchase lists
of Trojaned proxies from hackers.

According to Ibragimov, Send-Safe provides customers with a list of
proxies gathered by scanning the internet for computers configured as
proxy servers. He claims that the report incorrectly states that
Send-Safe, like SoBig, primarily uses proxies on obscure port
addresses. The current list of 937 proxies provided to Send-Safe
customers includes 682 using standard proxy ports--ports 80, 8080,
3128, and 1080.

The Send-Safe mailer does allow users to supply their own proxies.  
Ibragimov admitted that some customers might have obtained Trojaned
proxies from other sources and used them with the Send-Safe mailer.

Comments on Send-Safe's discussion forum appear to confirm that the
company has had trouble providing users with sufficient proxies for
sending spam.  Over the past 16 months, customers have frequently
reported problems with proxies. On September 9, Ibragimov responded to
one complaint about the service this way: "Proxy count is just a
little lower than usual. We are looking for a good proxy provider for
our users."

Ibragimov said his company, which employs three people, currently has
around thirty users, sharply down from the hundreds it served just a
year ago.

In an email, Author Travis declined to answer questions about the
report.  According to the document, the authors provided the
information to law enforcement over a year ago. They decided to go
public with the report in hopes of spurring additional research into
their theory that Send-Safe is the culprit behind SoBig.

According to the document, the authors' forensic analysis of SoBig
predates Microsoft's offer of a $250,000 reward for the apprehension
and conviction of SoBig's creator. A Microsoft representative Monday
said the company had no comment on the SoBig report. An investigation
by law enforcement into SoBig is still underway, said the
representative.

"Who Wrote SoBig" was published anonymously, according to its authors,
because "associating this paper with any specific company,
organization, group, or individual will only serve to detract from the
investigation."

Ibragimov said he had no idea who authored the anonymous report. When
asked whether he had any idea who might have written SoBig, Ibragimov
said, "No.  There are a million good programmers in the world."