[ntp:questions] SoBig.F uses NTP?

Nelson Minar nelson at monkey.org
Sat Aug 23 15:45:34 UTC 2003

Just ran into this interesting tidbit in an analysis of the SoBig.F
email worm that's clogging the Internet right now:

  W32/Sobig-F uses the Network Time Protocol (NTP) to access one of
  several servers in order to determine the current date and time.

  If the time returned by the NTP server is between 19:00 and 22:00
  UTC+0 which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F
  sends a UDP packet to port 8998 of a remote server. This feature
  could be used to download and run a Trojan or additional worm


The bit about SoBig downloading a new payload has been widely
reported, but I didn't know it used NTP to pick the date.

This gives an easy way to track the growth of SoBig over time; just
look at the NTP traffic growth on whichever servers were being used by
SoBig. Anyone out there have info they want to share?

More information about the questions mailing list