Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Security Firm Cracks Sober Worm

By Ed Oswald, BetaNews

December 9, 2005, 10:35 AM

Finnish security firm F-Secure said on Thursday that it had cracked the Sober worm, and could now warn of what URLs it would check to update itself.

The company claims it had cracked the code back in May 2005, but chose to stay silent, only alerting German authorities where the free hosting servers that host the update files exist.

F-Secure said 99 percent of the URLs generated by Sober are currently non-existent, however all the virus writer needs to do is activate one of them in order to run programs on infected machines.

"The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly," Mikko Hyppönen, chief research officer at F-Secure, explained. "So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date."

F-Secure has posted a list of the URLs that Sober machines would check on January 5 and 6. After that, the list would change every two weeks, the firm said.

Security researchers say that blocking these URLs may provide the best defense from Sober, however computer users should be ensuring they are not already infected.

Sober was first discovered in October 2003, and since then over 20 different variants have appeared. Sober.Y has been the biggest outbreak of the year, and is responsible for 40 percent of all Sober infections. That variant will activate on January 5.

But what is the significance of January 5? Security firm iDefense recently discovered that the activation date coincides with the 87th anniversary of the Nazi Party. Some sober variants have been known to distribute Nazi propaganda as part of their payloads.

Add a Comment (3 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By netsucker

edited Apr 26, 2006 - 3:12 PM

hi.
send me source code SOBER WORM.pleaz
no itself sober worm.
source code...source code...source code
thanks.

Score: 0

By JacenSolo

posted Dec 10, 2005 - 3:07 AM

Hmm... Interesting.

Well, not really as I use Linux most of the time, but shouldn't anyone with a good virus scanner be completely safe from this?

"Security researchers say that blocking these URLs may provide the best defense from Sober,"
Sounds like a plan to me ^_^

Score: 0

By rijp

edited Dec 12, 2005 - 12:41 PM

As part of an overall strategy for combating viruses, you should never rely on a single program to defend your computer.

1 Virus Scanner (that's good, symantec doesn't count!) is a must.

Then in addition, you should have at least 2 anti-spyware programs, a couple of utilities to remove threats specifially targeted for these types of programs, like cwcleaner, and a sober cleaner. Also as a matter of practice, you should either utilize NTFS on a XP/2000 professional and encrypt the hosts file so that it cannot be changed, not even by the current admin. If you encrypt it, as a local admin, and use another account on that machine for daily routines, that would block any access to that hosts file, and it can't be changed, deleted, or modified. At least have 1 pop-up blocker, or file watcher, like MS Anti-spyware that monitors these files and registry entries to ensure your machine is not affected in some other way or modifications are not made under your nose.

THEN you can be pretty sure your machine is protected, sufficiently. There isn't a SINGLE solution, however, and anyone that claims there is a be all end all solution to spyware, viruses, and malicious code, isn't telling the truth. It takes multiple programs to protect a good machine these days... unless your data doesn't mean anything to you, then by all means, don't protect it.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal