SoBig to enter second phase
In about an hour and a half, SoBig could get a lot worse. The worm is scheduled to get a download address for an unknown program from one of 20 computers spread across the US, Canada, and South Korea, but no one knows what that program will do. It doesn't look like officials will be able to shut down all of the 20 machines that will offer the download URL, either:
"As soon as we were able to crack the encryption used by the worm to hide the list of the 20 machines, we've been trying to close them down," explains Mikko Hypponen. F-Secure has been working with officials, authorities and various CERT organizations to disconnect these machines from the Internet. "Unfortunately, the writers of this virus have been waiting for this move too." These 20 machines are chosen from the networks of different operators, making it quite likely that there won't be enough time to take them all down by 19:00 UTC. Even if just one stays up, it will be enough for the worm.