Security Firm Cracks Sober Worm

Finnish security firm F-Secure said on Thursday that it had cracked the Sober worm, and could now warn of what URLs it would check to update itself.

The company claims it had cracked the code back in May 2005, but chose to stay silent, only alerting German authorities where the free hosting servers that host the update files exist.

F-Secure said 99 percent of the URLs generated by Sober are currently non-existent, however all the virus writer needs to do is activate one of them in order to run programs on infected machines.

"The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly," Mikko Hyppönen, chief research officer at F-Secure, explained. "So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date."

F-Secure has posted a list of the URLs that Sober machines would check on January 5 and 6. After that, the list would change every two weeks, the firm said.

Security researchers say that blocking these URLs may provide the best defense from Sober, however computer users should be ensuring they are not already infected.

Sober was first discovered in October 2003, and since then over 20 different variants have appeared. Sober.Y has been the biggest outbreak of the year, and is responsible for 40 percent of all Sober infections. That variant will activate on January 5.

But what is the significance of January 5? Security firm iDefense recently discovered that the activation date coincides with the 87th anniversary of the Nazi Party. Some sober variants have been known to distribute Nazi propaganda as part of their payloads.