Sober Worm Algorithm Cracked
F-Secure, a Finnish security company has been able to crack the code the Sober worm was using to update infected machines with new variants.
Here’s how the worm works:
– a computer is infected with the worm.
– on a certain date the infected computer tries to “phone home” to receive new code from the worm creator.
– all infected computers able to reach the proper web address are infected with an updated variant of the worm.
Mikko Hyppönen, Chief Researcher at F-Secure described it this way:
“Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don’t exist … however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It’s run globally on hundreds of thousands of machines”
If the security experts could determine the web address the worm was looking for it could be blocked and the worm would be deprived of new code. The problem is the virus and worm creators are a devious and crafty bunch and they don’t make it easy to deconstruct what they’re doing. Not crafty enough for F-Secure, evidently.
Just to get an idea of how wonderful these worm creators are, here’s a quote from F-Secure’s blog:
Last thing: Several earlier Sober variants (most notably Sober.Q) have been sending out Neo-Nazi propaganda messages. According to iDefense, the activation date of January 5th is an anniversary date for the Nazi party.
Great. Neo-Nazi worm authors. What did Indiana Jones have to say on the subject? “Nazis. I hate these guys.”