Sober code cracked

The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking as an e-mails from the FBI and CIA. Anti-virus companies were aware that the worm somehow 'knew' how to update itself via the Web. The worm's author programmed this functionality in order to control infected machines and, if required, change their behaviour.

On Thursday, Finnish anti-virus firm F-Secure revealed that it had cracked the algorithm used by the worm and could now calculate the exact URLs the worm would check on a particular day.

Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it.

"Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist ... however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen wrote in his blog.

According to F-Secure's calculations, on 5 January 2006, all computers infected with the latest variant of Sober will look for an updated file located in a list of domains, including:

• http://people.freenet.de/gixcihnm/
  
• http://scifi.pages.at/agzytvfbybn/
  
• http://home.pages.at/bdalczxpctcb/
  
• http://free.pages.at/ftvuefbumebug/
  
• http://home.arcor.de/ijdsqkkxuwp/

Hyppönen advised administrators to ensure any infected PCs can't upgrade automatically by blocking access to the domains.

Adam Biviano, premium services manager at Trend Micro, told ZDNet Australia that blocking the URLs could be beneficial but the safest bet would be to ensure that PCs are safe.

"Blocking those URLs is not a bad idea but administrators need to make sure their machines are not infected in the first place," said Biviano.

• Related stories

• Alerts

Add your opinion

Well tought Serious -- 09/12/05 (in reply to #120124787)

How ever I'm surprized by the very limited amount of hosts. This is suspicious... and all in germany or austria. I think there is more to discover. <a href="http://www.milliondollarscreenshot.com/">Hmm...</a>

• Reply to comment
• Report offensive content

So, now you've forced an earlier update... Anonymous -- 09/12/05

Well, this wasn't the smartest idea. Cracking the code was great - letting them know it was cracked wasn't so smart.

If you had kept it secret, you could have blocked the update in the day in question, and perhaps even caught the perpetrator in action. But now that they know...

They'll be forced to update earlier, with a new version of the code that will allow for a new set of URLs to be used on their target date. There is no way they'd be unaware of this news...

• Reply to comment
• Reply to story
• Report offensive content

Subject:"They'll be forced to update earlier, with a new version of the code..." Anonymous -- 10/12/05 (in reply to #120124790)

And if they were somehow foolish enough not to think of updating it to start using a new set of URLs, you might just have hinted them off to that if they saw your comment
Good old irony ;P

• Reply to comment
• Report offensive content

Sober URL update Anonymous -- 10/12/05

Well duh! Just handle this by blocking the registration of the domain names.

• Reply to comment
• Reply to story
• Report offensive content

Well Duh to you... Damon -- 13/12/05

Most of the domain names that the virus uses are legitimate ones... The virus writer isn't going to spend cash on registering domain names.

Its just that the listed domains allow semi-anonymous account creation for public web space. Blocking the creation of the domain names would after the fact, and if you wanted to somehow "ban" the existing domain names, you run risk of banning legitimate users of such services...

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials