Secrets of the Sober worm
p2p news / p2pnet: Finland’s F-Secure says it’s found out how the Sober worm which has been, and still is, causing so much trouble, communicates with its creator. Last month, for example, the FBI warned the Sober ‘questionnaire’ worm was once again on the loose.
How does it manage to survive and prosper? Its author is keenly aware that that if he uses a single, constant address in the virus body, it’ll be quickly blocked, says research director Mikko Hyppönen on the company’s blog. So, "instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date," he says.
"These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don’t exist. However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It’s run globally in hundreds of thousands of machines."
The first variant was found in October 2003 but since then, F-Secure has found more 20 others, says Hyppönen.
"Most of these variants contain a routine that activates the virus at later date," he states. "After this the virus will try to periodically download and run a file from several websites. This is the way most new Sober variants are distributed: the author uploads a new version and all the infected machines will suddenly get infected with the new variant."
Sober.Y was the biggest email outbreak of the year and is still behind some 40% of all infections, says Hyppönen.
It’s set to activate on January 5th, 2006 after which, all infected systems will try to download and run a file from a website, "forever," he says, going on:
"The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect."
The Sober virus author can precalculate the URLs and, " We wanted to be able to do the same thing," says the blog. "So we cracked the algorithm. This enabled us to calculate the download URLs for any future date."
F-Secure had Sober figured out by May, around the time it was it’s promising free tickets to soccer world championships, and had passed the information on to the German police as well as affected ISPs, "But we didn’t want to talk about it publically then – we didn’t want to fill in the virus writer on this," Hyppönen goes on.
"But he must know this by now."
The F-Secure post continues that pseudo-random URLs look like the download sites Sober.Y will start using on 5th of January, and seen below.
"We’re leaving out the filename of the actual executable, but this should be good enough list of addresses you might want to block at your corporate firewall, if you’re a system administrator," states Hyppönen.
- http://people.freenet.de/gixcihnm/
- http://people.freenet.de/tobtrfjabzw/
- http://people.freenet.de/utzmfucaau/
- http://people.freenet.de/phyibrpkcpl/
- http://people.freenet.de/lhxrdryo/
- http://people.freenet.de/yediykdq/
- http://people.freenet.de/bjjhdkybpyaj/
- http://scifi.pages.at/agzytvfbybn/
- http://home.pages.at/bdalczxpctcb/
- http://free.pages.at/ftvuefbumebug/
- http://home.arcor.de/ijdsqkkxuwp/
- http://home.arcor.de/ldhdytdu/
- http://home.arcor.de/wdqodvdhwwese/
- http://home.arcor.de/frweemrecuvw/
- http://home.arcor.de/nulmjznomnt/
None of these URLs exist, says F-Secure, but if they’re to be used, "the virus writer will register them just before the activation".
However, "the list will change every 14 days" and the first change will appear on January 6 when the list becomes:
- http://people.freenet.de/mookflolfctm/
- http://people.freenet.de/aohobygi/
- http://people.freenet.de/wlpgskmv/
- http://people.freenet.de/svclxatmlhavj/
- http://people.freenet.de/jpjpoptwql/
- http://people.freenet.de/iohgdhkzfhdzo/
- http://people.freenet.de/eetbuviaebe/
- http://scifi.pages.at/vvvjkhmbgnbbw/
- http://home.pages.at/twfofrfzlugq/
- http://free.pages.at/sfhfksjzsfu/
- http://home.arcor.de/qlqqlbojvii/
- http://home.arcor.de/fulmxct/
- http://home.arcor.de/fowclxccdxn/
- http://home.arcor.de/lnzzlnbk/
- http://home.arcor.de/rprpgbnrppb/
By way of a PS, " Several earlier Sober variants (most notably Sober.Q) have been sending out neonazi propaganda messages," adds F-Secure.
"According to iDefense, the activation date of January 5th is an anniversary date for the nazi party."
Also read:-
‘questionnaire’ worm – Return of FBI ‘questions’ worm, November 24, 2005
blog – How Sober activates, December 8, 2005
free tickets – Return of the Sober worm, May 4, 2005
December 9th, 2005 at 1:57 pm
so why doesn’t someone like F-Secure register those domains so the the virus writer can’t use them, its free webhosting isn’t it?
December 10th, 2005 at 5:34 am
So let’s get this straight – the virus is set to update itself from a known website at a known time? Okay, so persuade those free web hosters to “hand over” those addresses at that time (it’s not like they mean anything) and seed the location, not with a new virus, but with an inoculation routine that actually kills the virus. The antivirus company that pulls this off would get KUDOS with a capital “K”.
–
Andy
Who can’t believe that he’s the first person to think of this…