RSSSecurity Firm Cracks Sober Worm
By Ed Oswald | Published December 9, 2005, 10:35 AM
Finnish security firm F-Secure said on Thursday that it had cracked the Sober worm, and could now warn of what URLs it would check to update itself.
The company claims it had cracked the code back in May 2005, but chose to stay silent, only alerting German authorities where the free hosting servers that host the update files exist.
F-Secure said 99 percent of the URLs generated by Sober are currently non-existent, however all the virus writer needs to do is activate one of them in order to run programs on infected machines.
"The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly," Mikko Hyppönen, chief research officer at F-Secure, explained. "So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date."
F-Secure has posted a list of the URLs that Sober machines would check on January 5 and 6. After that, the list would change every two weeks, the firm said.
Security researchers say that blocking these URLs may provide the best defense from Sober, however computer users should be ensuring they are not already infected.
Sober was first discovered in October 2003, and since then over 20 different variants have appeared. Sober.Y has been the biggest outbreak of the year, and is responsible for 40 percent of all Sober infections. That variant will activate on January 5.
But what is the significance of January 5? Security firm iDefense recently discovered that the activation date coincides with the 87th anniversary of the Nazi Party. Some sober variants have been known to distribute Nazi propaganda as part of their payloads.
Hmm... Interesting.
Well, not really as I use Linux most of the time, but shouldn't anyone with a good virus scanner be completely safe from this?
"Security researchers say that blocking these URLs may provide the best defense from Sober,"
Sounds like a plan to me ^_^
Score: 0
As part of an overall strategy for combating viruses, you should never rely on a single program to defend your computer.
1 Virus Scanner (that's good, symantec doesn't count!) is a must.
Then in addition, you should have at least 2 anti-spyware programs, a couple of utilities to remove threats specifially targeted for these types of programs, like cwcleaner, and a sober cleaner. Also as a matter of practice, you should either utilize NTFS on a XP/2000 professional and encrypt the hosts file so that it cannot be changed, not even by the current admin. If you encrypt it, as a local admin, and use another account on that machine for daily routines, that would block any access to that hosts file, and it can't be changed, deleted, or modified. At least have 1 pop-up blocker, or file watcher, like MS Anti-spyware that monitors these files and registry entries to ensure your machine is not affected in some other way or modifications are not made under your nose.
THEN you can be pretty sure your machine is protected, sufficiently. There isn't a SINGLE solution, however, and anyone that claims there is a be all end all solution to spyware, viruses, and malicious code, isn't telling the truth. It takes multiple programs to protect a good machine these days... unless your data doesn't mean anything to you, then by all means, don't protect it.
Score: 0